diff --git a/changelog/17932.txt b/changelog/17932.txt
new file mode 100644
index 0000000000..09dd01c1b7
--- /dev/null
+++ b/changelog/17932.txt
@@ -0,0 +1,3 @@
+```release-note:bug:
+UI: Fix "MFA-Setup permission denied error" by using user-token specific MFA generate endpoint instead of admin-generate
+```
diff --git a/ui/app/adapters/mfa-setup.js b/ui/app/adapters/mfa-setup.js
index 806249a88a..5e39390c9e 100644
--- a/ui/app/adapters/mfa-setup.js
+++ b/ui/app/adapters/mfa-setup.js
@@ -1,8 +1,8 @@
 import ApplicationAdapter from './application';
 
 export default class MfaSetupAdapter extends ApplicationAdapter {
-  adminGenerate(data) {
-    const url = `/v1/identity/mfa/method/totp/admin-generate`;
+  currentTokenGenerate(data) {
+    const url = `/v1/identity/mfa/method/totp/generate`;
     return this.ajax(url, 'POST', { data });
   }
 
diff --git a/ui/app/components/mfa/mfa-setup-step-one.js b/ui/app/components/mfa/mfa-setup-step-one.js
index f94807c8f1..dfdafdb031 100644
--- a/ui/app/components/mfa/mfa-setup-step-one.js
+++ b/ui/app/components/mfa/mfa-setup-step-one.js
@@ -29,7 +29,7 @@ export default class MfaSetupStepOne extends Component {
   @action
   async verifyUUID(evt) {
     evt.preventDefault();
-    const response = await this.postAdminGenerate();
+    const response = await this.postCurrentTokenGenerate();
 
     if (response === 'stop_progress') {
       this.args.isUUIDVerified(false);
@@ -40,15 +40,14 @@ export default class MfaSetupStepOne extends Component {
     }
   }
 
-  async postAdminGenerate() {
+  async postCurrentTokenGenerate() {
     this.error = '';
     this.warning = '';
     const adapter = this.store.adapterFor('mfa-setup');
     let response;
 
     try {
-      response = await adapter.adminGenerate({
-        entity_id: this.args.entityId,
+      response = await adapter.currentTokenGenerate({
         method_id: this.UUID, // comes from value on the input
       });
       this.args.saveUUIDandQrCode(this.UUID, response.data?.url);
diff --git a/ui/app/templates/vault/cluster/mfa-setup.hbs b/ui/app/templates/vault/cluster/mfa-setup.hbs
index a0ca099337..b885a998f1 100644
--- a/ui/app/templates/vault/cluster/mfa-setup.hbs
+++ b/ui/app/templates/vault/cluster/mfa-setup.hbs
@@ -7,7 +7,6 @@
       <div class="box">
         {{#if (eq this.onStep 1)}}
           <Mfa::MfaSetupStepOne
-            @entityId={{this.entityId}}
             @isUUIDVerified={{this.isUUIDVerified}}
             @restartFlow={{this.restartFlow}}
             @saveUUIDandQrCode={{this.saveUUIDandQrCode}}
diff --git a/ui/tests/acceptance/mfa-setup-test.js b/ui/tests/acceptance/mfa-setup-test.js
index 28bb9a61a5..2a9d6662aa 100644
--- a/ui/tests/acceptance/mfa-setup-test.js
+++ b/ui/tests/acceptance/mfa-setup-test.js
@@ -50,10 +50,10 @@ module('Acceptance | mfa-setup', function (hooks) {
     await click('[data-test-status-link="mfa"]');
   });
 
-  test('it should login through MFA and post to admin-generate and be able to restart the setup', async function (assert) {
+  test('it should login through MFA and post to generate and be able to restart the setup', async function (assert) {
     assert.expect(5);
     // the network requests required in this test
-    this.server.post('/identity/mfa/method/totp/admin-generate', (scheme, req) => {
+    this.server.post('/identity/mfa/method/totp/generate', (scheme, req) => {
       const json = JSON.parse(req.requestBody);
       assert.strictEqual(json.method_id, '123', 'sends the UUID value');
       return {
@@ -82,7 +82,7 @@ module('Acceptance | mfa-setup', function (hooks) {
   test('it should show a warning if you enter in the same UUID without restarting the setup', async function (assert) {
     assert.expect(2);
     // the network requests required in this test
-    this.server.post('/identity/mfa/method/totp/admin-generate', () => {
+    this.server.post('/identity/mfa/method/totp/generate', () => {
       return {
         data: null,
         warnings: ['Entity already has a secret for MFA method “”'],