Junior IT User admin role -- basic User management

Carlo Lodola 11 Reputation points


The build in role User administrator - allows the User to perform too many functions

It is possible to restrict the user to having minimal functionality , very basic User management

  • add users, manage, edit, and update passwords.
  • This role should not see or ability to edit a specific set of Microsoft 365 groups (which are sensitive and management-level groups).

From my understanding "Custom" Azure role only accommodates permissions for Application registrations and Enterprise applications

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,493 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 99,936 Reputation points MVP

    You can use Administrative units to restrict the scope of the User management role: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units

    If you also want to restrict the set of actions allowed, you will have to create a custom role: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-create

    Do note that not all operations are currently supported for custom roles.

    0 comments No comments

  2. Sandeep G-MSFT 16,601 Reputation points Microsoft Employee

    @Carlo Lodola

    Thank you for posting this in Microsoft Q&A.

    You can create a custom role. However, currently we have only few permissions listed for under user's scope as below.

    User's image

    Apart from this if you want to restrict users with specific roles from add users, manage, edit, and update passwords then you can make use of administrative units,


    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.