This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 42%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
I created an Azure AD group and granted that group the role of Authentication Administrator so that members of this group can reset passwords, require re-register multifactor authentication, and revoke multifactor authentication sessions with in the Azure AD admin center.
Recently I have been getting reports that members of this group that have this role are un-able to reset passwords for other members of this group. When they are logged into the Azure AD admin center and are within the User profile when they press the "Reset Password" link they receive the following error message:
Reset Password
User Display Name
The password can not be reset. This may be due to an incorrect level of administrative privilege or trying to reset your own password.
Is this error due to members with this role (Authentication Administrator) being unable to reset any password for users with the same role?
I have attempted to add in the Password Administrator role to this group as well but this did not resolve this issue. Does anyone know of a role combination that would allow this to be resolved?
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
A cloud-based identity and access management service for securing user authentication and resource access
Answer accepted by question author
In order to reset passwords of other elevated accounts, you need to add those users to the Privileged Admin Authentication Role at a minimum or Global Admin:
Just as a follow up statement, users who have been granted that Authentication Administrator role by design of the permissions of that role are prevented from changing passwords for other members because it is a security feature.
The only around that is to give them one of those roles I mentioned above.
Here is an update to this question from Microsoft Technical Support:
We have been able to identify the source of the issue – The reason that your auth admins are unable to reset the passwords of other auth admins is due to restrictions placed on role-assignable groups.
As noted previously, our documentation clearly states that Auth Admins can reset the passwords of other Auth admins, with the only exception being noted as roles assigned at the scope of an administrative unit.
After testing this and replicating the issue, I was puzzled, I continued to test and found that this behavior is only present when the roles are assigned by a role-assignable group, and not when the roles are assigned directly to the users themselves.
This is working “as intended” but is poorly documented, and I will be requesting a documentation update to reflect this information. Below is the excerpt that explains the behavior that we’re seeing, with the associated documentation here.
To continue to utilize role-assignable groups opposed to direct assignments to users, you will need to provide the role of the Privileged Authentication Admin instead of the Authentication Admin. Otherwise, what you’re requesting will not be possible.
Please let me know if you have any questions regarding this, I am moving forward with a documentation update request to reflect this information where appropriate.