This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 98%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Hello dears,
I have 2 admin users that are not able to reset user´s password even though they have been granted the roles of helpdesk administrator/password administrator. After looking at the logs on Microsoft Entra ID>Audit Logs, I have seen the following error message:
Microsoft.Online.Administration.AccessDeniedException
Note: Those 2 admins were able to perform this task two months ago. Looks like something has changed since then.
anyone can help?
Thanks
Paulo Ramos
Hi,
If PIM (Privileged Identity Mangement) has introduced recently, you might have to check the following article to extend their capabilities to change passwords
Extend or renew Microsoft Entra role assignments in Privileged Identity Management
Hi Manu,
Thanks for your prompt response!
No, PIM has not introduced recently.
Actually these 2 users have roles already activated, but they unable to reset passwords
IF the accounts they are attempting to reset are elevated, they need priv auth admin role:
hi Andy,
No, the accounts the two admins are trying to reset, are not elevated accounts, regular user (no admin role) accounts.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 92%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYL%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting in Q&A forum.
Based on the information provided, it seems like the two admin users are having issues with resetting passwords despite having the necessary roles. Here are a few suggestions:
I hope the information above is helpful.
Best Regards,
Yanhong Liu
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
@Paulo Ramos
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
@Paulo Ramos Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hello Yanhong Liu,
Thanks for your answers!
1Check the Role Assignments: Ensure that the roles assigned to these users are still active and haven't expired. Sometimes, roles can be deactivated or expire without notice
A: Have already checked. Roles assigned to these users are still active and haven't expired.
Verify Permissions: Make sure that the permissions associated with the roles are correctly configured. Even if the users have the right roles, they might not have the necessary permissions if they are not set up correctly.
A: Have verified and it is correct!
Update Roles: If Privileged Identity Management (PIM) has been introduced recently, you might need to extend their capabilities to change passwords as suggested in the answer.
A: Have checked as well, it is not being introduced recently
Elevated Accounts: If the accounts they are trying to reset are elevated, they might need the privileged authentication admin role.
A: The 2 admin are trying to reset user (no-admin role) accounts only.
Audit Logs: Since you have access to the audit logs, look for any changes made to these users' roles or permissions around the time they started experiencing this issue. This might give you a clue as to what has changed.
A: I will validate with the user to know exactly when this started happening and look in the logs for more details.
Thanks Paulo Ramos
Hi @Paulo Ramos
Since the above suggestions aren't fix the issue, I would like to understand your issue via offline. please send us an email to on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:akhilesh".