admins are unable to reset user´s passwords, how can I resolve it?

Question

Hello dears,

I have 2 admin users that are not able to reset user´s password even though they have been granted the roles of helpdesk administrator/password administrator. After looking at the logs on Microsoft Entra ID>Audit Logs, I have seen the following error message:

Microsoft.Online.Administration.AccessDeniedException

Note: Those 2 admins were able to perform this task two months ago. Looks like something has changed since then.

anyone can help?

Thanks

Paulo Ramos

Answer 1

Hello @Paulo Ramos,

Thank you for posting your query on Microsoft Q&A.

I see that you have two admin users with the Helpdesk Administrator and Password Administrator roles assigned, but they are unable to reset user passwords from the Azure Portal.

Based on our community answers, I see you have verified all the prerequisite of this issue. However, there is another limitation you should check.

User Account Admins cannot update normal user's passwords, if the user belongs to a AAD group where Assignable to role is True.

Please verify if the user is a member of any Azure AD group with "Microsoft Entra roles can be assigned to the group" set to True. You can determine this by going to the list of groups in the All Groups blade, enabling the "Role assignments allowed" column.

If the user is part of such a group, try removing them from the group and assigning the role directly to the user instead. Check if this resolves the issue.

If the problem persists, please send an email to azcommunity@microsoft.com referencing this issue with the subject line "ATTN: pothurajur" and include a link to the current thread.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Thanks,
Raja Pothuraju.

Answer 2

Hi,

If PIM (Privileged Identity Mangement) has introduced recently, you might have to check the following article to extend their capabilities to change passwords

Extend or renew Microsoft Entra role assignments in Privileged Identity Management

Answer 3

IF the accounts they are attempting to reset are elevated, they need priv auth admin role:

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/privileged-roles-permissions?tabs=admin-center#who-can-reset-passwords

Answer 4

Hello,

Thank you for posting in Q&A forum.

Based on the information provided, it seems like the two admin users are having issues with resetting passwords despite having the necessary roles. Here are a few suggestions:

1. Check the Role Assignments: Ensure that the roles assigned to these users are still active and haven't expired. Sometimes, roles can be deactivated or expire without notice.
2. Verify Permissions: Make sure that the permissions associated with the roles are correctly configured. Even if the users have the right roles, they might not have the necessary permissions if they are not set up correctly.
3. Update Roles: If Privileged Identity Management (PIM) has been introduced recently, you might need to extend their capabilities to change passwords as suggested in the answer.
4. Elevated Accounts: If the accounts they are trying to reset are elevated, they might need the privileged authentication admin role.
5. Audit Logs: Since you have access to the audit logs, look for any changes made to these users' roles or permissions around the time they started experiencing this issue. This might give you a clue as to what has changed.

I hope the information above is helpful.

Best Regards,

Yanhong Liu

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.