Azure AD Password reset permissions

Anonymous
2021-02-17T16:43:13.357+00:00

Some roles like Helpdesk Admin cannot reset password for privileged accounts like Global Admins. Is it possible to use the same mechanism and apply it to selected users like CEO, CIO so that regular helpdesk members cannot reset their password? Is there any documentation how this "Password reset permissions" works behind the scene?

Thanks!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,597 questions
{count} votes

Accepted answer
  1. Alfredo Revilla (Personal Account) 391 Reputation points
    2021-02-17T17:59:06.833+00:00

    Helpesk admin will be able to reset password for any non admin user. If you want to limit it's capabilities you might try Management capabilities for Azure AD roles in Privileged Identity Management which can temporarly assign roles for a limited ammount of time, Configure security alerts for Azure AD roles in Privileged Identity Management and/or Set up notifications for changes in user data so that in the case of an undesired password reset dont by one the temporary admins you can take action such as taking down the role assigment and resetting tje affected user with a new password.

    * If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.*

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Alfredo Revilla (Personal Account) 391 Reputation points
    2021-02-17T17:28:22.253+00:00

    Howdy, you can use the Privileged Authentication Administrator role to manage any admin password, including the Global Admin. Take a look to detailed password reset permission.

    If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.

    1 person found this answer helpful.