Created Role (Authentication Administrator) Based Group and added member but Role is not working

Question

Created Role (Authentication Administrator) Based Group and added member but Role is not working

Shrikant Bhagwat 146

I created role (Authentication Administrator) based in Entra. Added Member But member can NOT perform assigned role.

2026-02-28_20-40-16

2026-02-28_21-02-43

When user ShrikantNAM login , the user can reset authentication method of some but not some

2026-02-28_21-12-38

2026-02-28_21-13-54

Global Admin Role can Change any user's Authentication Method.

Let us know

Huỳnh Ngọc Dương 75 Reputation points

2026-03-01T15:29:39.1866667+00:00

Microsoft Entra ID

Answer accepted by question author

0 additional answers

Your answer

Huỳnh Ngọc Dương 75 Reputation points

2026-03-01T15:29:39.1866667+00:00

Microsoft Entra ID

Answer 1

Marcin Policht 89,825 MVP Volunteer Moderator

As far as I can tell, the behavior you are seeing is consistent with the way privileged roles and the Authentication Administrator role work in Entra ID. The Authentication Administrator role allows a user to manage authentication methods like resetting passwords and MFA settings, but it has scope limitations. Specifically, an Authentication Administrator cannot manage authentication methods for users who are assigned certain privileged roles, such as Global Administrator, Privileged Role Administrator, or other highly privileged roles. This is a built-in safeguard to prevent elevation of privileges or circumvention of security controls.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

DouglasMoten-4931 0 Reputation points

2026-03-01T04:18:16.72+00:00

It was good reading
Shrikant Bhagwat 146 Reputation points

2026-03-01T13:09:50.1866667+00:00

Hi Marcin

I understand now. Can I create Administrative Unit in Entra & add few users in Admin Unit. This way I can limit scope of this role to particular Admin Unit.

Let me know

Shrikant
Marcin Policht 89,825 Reputation points MVP Volunteer Moderator

2026-03-01T13:15:06.3+00:00

Yep- you can create an Administrative Unit in Entra ID and scope the Authentication Administrator role to that Administrative Unit. This is the approach when you want to limit the role so that it can only manage a defined set of users instead of the entire tenant.

When you assign the Authentication Administrator role at the Administrative Unit level, the role holder can only reset authentication methods for users who are members of that Administrative Unit. They will not be able to manage users outside that Administrative Unit.

However, the same restriction regarding privileged roles still applies. If a user inside the Administrative Unit is assigned a protected privileged role such as Global Administrator or Privileged Role Administrator, the scoped Authentication Administrator still will not be able to reset that user’s authentication methods. Administrative Units limit scope, but they do not override protected role restrictions.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Shrikant Bhagwat 146 Reputation points

2026-03-01T14:14:46.2+00:00

Hi Marcin

Thanks for your quick reply. I created Admin Unit & added some user directly . I could limit the scope of Authentication Role to user's in Admin Unit.

But I noticed, instead of adding directly users in Admin Unit, if add Group in Admin Unit it does not work.

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units

Thanks

Shrikant
Marcin Policht 89,825 Reputation points MVP Volunteer Moderator

2026-03-01T14:17:58.7333333+00:00

Yes, that is expected behavior. Administrative Units in Entra currently only support direct user membership for scoping role assignments. Adding a group to an Administrative Unit does not automatically include its members for role scoping. Roles assigned to an Admin Unit will only affect users who are directly added to that Admin Unit, not users who are members of a group inside it.

If you want group-based scoping, you need to add the individual users from the group directly into the Administrative Unit.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

Huỳnh Ngọc Dương 75

'Accepted Microsoft Entra ID

0 comments

Share via

Created Role (Authentication Administrator) Based Group and added member but Role is not working

0 additional answers

Your answer