Helpesk admin will be able to reset password for any non admin user. If you want to limit it's capabilities you might try Management capabilities for Azure AD roles in Privileged Identity Management which can temporarly assign roles for a limited ammount of time, Configure security alerts for Azure AD roles in Privileged Identity Management and/or Set up notifications for changes in user data so that in the case of an undesired password reset dont by one the temporary admins you can take action such as taking down the role assigment and resetting tje affected user with a new password.
* If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.*