AzureAD: Authentication Administrator incorrectly granted access to delete users

Question

I have assigned a user the Authentication Administrator role within AzureAD.

They are not able to delete users according to the role permissions and when accessing aad.portal.azure.com they are unable to delete users. This is the expected behaviour.

However, when accessing 'Active Users' via admin.microsoft.com they are able to delete users. I have deleted a test user and the operation completed successfully.

Are the permissions for this portal configured elsewhere? It seems like an oversight that these users would be able to delete user accounts without being given the necessary permission.

Answer 1

Hi @IT-GA ,

Thanks for reaching out.

I understand you are able to delete users with least administrative role Authenticator Administrator via admin.microsoft.com but delete option is disabled in aad.portal.azure.com.

I tried to repro the scenario in both the portals in my lab. Both the portals are showing the same behavior and allow to delete the users with Authenticator Administrator role.

In case of aad.portal.azure.com, you need to select the user you want to delete to enable the delete button.

Authentication Administrator allow the action to delete the users from both the portals which is not documented properly here.

However, I checked the actions of Authentication Administrator in the portal which has permission to delete the users.

I will check this internally with the content team and will update the documentation.

Hope this will help.

Thanks,
Shweta

----------------------------

Please remember to "Accept Answer" if answer helped you.