Share via

Cannot Reset User Password EntraID

Razzi29 341 Reputation points
2025-05-26T16:24:53.5066667+00:00

I added a set of users to the Azure / Entra ID role "User Administrator" which according to Microsoft documentation, I should be able to reset users' passwords if member of this role and yet I am getting an error message when I try to reset a user's password. I do not want to add the user to the Global Administrator role as it will defeat the purpose here.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Razzi29 341 Reputation points
    2025-06-09T15:17:28.6833333+00:00

    I ended up submitting a support ticket to Microsoft, we did some test scenarios and turned out that the reason was because users that are members of User Administrator are not able to change passwords to users that are assigned Entra Joined Devices which was blocking the rights; I needed to add members to the Privileged Authentication Administrator. Still not what I was trying to accomplish, as now I gave those 3 users the ability to reset passwords for Global Administrators.

    Was this answer helpful?

    0 comments
  2. Jinnie Nguyen 315 Reputation points
    2025-05-27T08:48:36.1+00:00

    Hello Razzi29,

    Things to check:

    1. Is the User Cloud-Only or Synced from On-Premises AD?

    • If the user is cloud-only, password reset should work if Self-Service Password Reset (SSPR) is enabled.
    • If the user is synced from on-premises Active Directory, then:
    • Password writeback must be enabled in Azure AD Connect.
    • SSPR must also be enabled for hybrid users.

    More information:

    https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr#enable-self-service-password-reset

    https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-howitworks#on-premises-integration

    2. Is SSPR Enabled and Licensed?

    • SSPR requires at least an Azure AD Premium P1 license.
    • You can enable SSPR via:
    • Microsoft Entra admin center > Identity > Password reset > Properties

    3. Try the Password Administrator Role

    If the issue persists, try assigning the Password Administrator role instead of User Administrator. This role is more narrowly scoped and may bypass some of the limitations you're encountering—without needing to assign the Global Administrator role.

    1. You can raise a support ticket to the AAD account team, review all relevant logs, and gain a deeper understanding of the issue to help resolve the problem more quickly.

    If you need any support further, please let me know

    Thank you,

    Was this answer helpful?

  3. Harshitha Eligeti 4,420 Reputation points Moderator
    2025-05-26T23:15:38.5533333+00:00

    Hello @Razzi29
    I understand that you're unable to reset the password for a user with the Helpdesk Administrator role. According to the official documentation, the table clearly outlines who has the permissions to reset passwords:

    Microsoft Documentation – Who can reset passwords

    As you mentioned that the user has the Helpdesk Administrator role, and a User Administrator should typically have the rights to reset password for the helpdesk administrator but you're encountering an error. This may occur if the user is in an unsupported state.

    One possible reason is that the user you're trying to reset the password for is part of a role-assignable group. As outlined in the documentation, users in role-assignable groups cannot have their passwords reset by User Administrators.

    I recommend checking whether the user is part of any role-assignable groups.

    If the user is not in any such group and you're still facing the issue, please share your contact details via private message so we can connect with you offline for further troubleshooting.

    Was this answer helpful?

  4. Akpesiri Ogbebor 3,115 Reputation points Volunteer Moderator
    2025-05-26T16:54:50.7466667+00:00

    Hello @Razzi29

    Thanks for contacting MS Q&A. I will assist you with resolving your issues.

    You're absolutely right to avoid assigning Global Administrator unless it's absolutely necessary that's a good security practice. Since you've assigned users to the User Administrator role in Microsoft Entra ID, they should be able to reset passwords for most users. However, there are some important limitations to keep in mind:

    By default, User Administrators can reset passwords for:

    Regular (non-admin) users.

    Users in the administrative units (AUs) they manage (if AUs are used).

    Other User Administrators (if allowed via AU delegation).

    But they cannot reset passwords for:

    • Global Administrators
    • Privileged Role Administrators
    • Authentication Administrators
    • Other role-assigned admin users (unless explicitly allowed via Administrative Units (AUs))

    Here’s a step-by-step checklist to troubleshoot:

    1. Check the Role of the Target User
      • Is the user you're trying to reset a password for assigned to any admin role (e.g., Global Admin, Authentication Admin)?
      • If so, User Administrators cannot reset that password by default.

    If this answers your query, do click Accept Answer and Yes if this answer was helpful. And, if you have any further query do let us know.

    Siri

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.