We recently had an issue where a helpdesk technician deleted an AD user and caused several major issues. We've since set up custom local AD permissions for the technician and are trying to do something similar in Azure AD. He needs to be able to create and update user information, add and remove users from groups, but not be able to actually delete a user. We tried setting his Azure AD role to Helpdesk Admin, but that does not have enough permissions. User Admin has too many permissions. I think if we could just strip the delete capability from User Admin we would have what we need. I tried creating a custom role inside Azure AD, but could not find the granularity I need. Does anyone have a suggestion? Thanks.