![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 69%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER7%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,357 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @RT-7199,
Thank you for posting your query on Microsoft Q&A.
I understand that you have assigned the "Authentication Administrator" role to a user, which is the least privileged role to update authentication methods. However, when this user tries to change, delete, or view authentication methods for another user, they encounter an error stating, "You currently don't have permissions to manage this user's authentication methods."
This can happen if the user falls under the following unsupported scenarios:
- The user cannot change credentials or reset MFA for members and owners of a role-assignable group.
- The user cannot change credentials or reset MFA for members who have an administrator role, including:
- Groups Admin
- Helpdesk Admin
- Privileged Auth Admin
- Privileged Role Admin
- User (no admin role but member or owner of a role-assignable group)
- User with a role scoped to a restricted management administrative unit
- User Admin
- All custom roles
Here are two simple scenarios to illustrate this:
- Scenario 1:
- User A has the Global Administrator role.
- User B has the Authentication Administrator role.
- When User B tries to make changes to User A's authentication methods, it won't allow them because User A falls under the unsupported scenario due to having the Global Administrator role.
- Scenario 2:
- User A is included in a security group where an Entra role is assigned to that group.
- User B has the Authentication Administrator role.
- When User B tries to make changes to User A's authentication methods, it won't allow them because User A falls under the unsupported scenario of being a member or owner of a role-assignable group.
Please check the above scenarios and verify if the test user falls under any unsupported scenarios as per Microsoft documentation.
References:
Hope this includes all the information that you were looking for.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks,
Raja Pothuraju.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 96%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFA%3C/text%3E%3C/svg%3E)