Junior IT User admin role -- basic User management

Question

Junior IT User admin role -- basic User management

Carlo Lodola 11

Hi

The build in role User administrator - allows the User to perform too many functions

It is possible to restrict the user to having minimal functionality , very basic User management

add users, manage, edit, and update passwords.
This role should not see or ability to edit a specific set of Microsoft 365 groups (which are sensitive and management-level groups).

From my understanding "Custom" Azure role only accommodates permissions for Application registrations and Enterprise applications

2 answers

Your answer

Answer 1

Vasil Michev 118.1K MVP Moderator

You can use Administrative units to restrict the scope of the User management role: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units

If you also want to restrict the set of actions allowed, you will have to create a custom role: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-create

Do note that not all operations are currently supported for custom roles.

Answer 2

Sandeep G-MSFT 20,881 Microsoft Employee Moderator

@Anonymous

Thank you for posting this in Microsoft Q&A.

You can create a custom role. However, currently we have only few permissions listed for under user's scope as below.

User's image

Apart from this if you want to restrict users with specific roles from add users, manage, edit, and update passwords then you can make use of administrative units,

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units

Let me know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Carlo Lodola 11 Reputation points

2023-11-28T16:42:12.18+00:00

Thanks for the help

Admin units is what I need but the only role to allow user creation appears to be User administrator , User administrator still allows too much access

I assigned a User , the role of User administrator within the scope of the admin unit

When I login as the User (role of User administrator) via Office 365 Admin Centre , I can only reset the password

Why can I not perform all the permissions associated with the User administrator within the scope of the admin unit?
Sandeep G-MSFT 20,881 Reputation points Microsoft Employee Moderator

2023-12-12T04:50:04.89+00:00

@Anonymous

Let's work on this thread offline as it requires little deeper investigation.

Please send us an email on azcommunity [at] microsoft [dot] com with Sub - Attn: Sandeg and following details in the email body:

Link to this thread/post

We can connect offline and discuss further on this.

Share via

Junior IT User admin role -- basic User management

2 answers

Your answer