Microsoft Entra ID · Remaining Built-in Roles

Authentication Administrator

Can view, set, and reset authentication method information for any non-admin user. Cannot manage MFA settings or password protection policies.

Scope: Authentication management for non-admin users including password and MFA resets

Permissions

  • Auth Methods - Create authentication methods for users
  • Auth Methods - Delete authentication methods for users
  • Auth Methods - Read standard authentication methods
  • Auth Methods - Update authentication methods for users
  • User Recovery - Restore recently deleted users
  • User Management - Delete users
  • User Management - Disable user accounts
  • User Management - Enable user accounts
  • Session Management - Invalidate user refresh tokens
  • Password Reset - Reset passwords for non-admin users
  • User Recovery - Restore deleted users
  • Service Health - Manage Azure service health
  • Support Tickets - Create and manage support tickets
  • MFA Management - Force re-registration of MFA for non-admin users
  • Auth Methods - Read user authentication method configuration
  • Limitation - Cannot manage admin user authentication

Common use cases

  • Helpdesk password resets for end users
  • MFA enrollment and troubleshooting support
  • Authentication method registration assistance
  • Force MFA re-registration for non-admin users
  • Temporary Access Pass creation for onboarding
  • Windows Hello for Business enrollment support
  • FIDO2 security key registration assistance
  • Authenticator app setup support
  • Phone number verification for SMS/voice MFA
  • User account enable/disable operations
  • Refresh token invalidation for security incidents

Best practices

  • Primary role for helpdesk authentication support
  • Use Privileged Authentication Admin for admin accounts
  • Enable self-service password reset to reduce ticket volume
  • Verify user identity before resetting credentials
  • Document all credential reset operations
  • Use Temporary Access Pass for secure onboarding
  • Coordinate with Security team on authentication incidents
  • Train staff on social engineering prevention
  • Monitor for unusual reset activity patterns
  • Consider PIM for just-in-time access

Security considerations

  • Cannot reset passwords for admin role holders
  • Cannot modify admin user MFA settings
  • Limited scope reduces attack surface
  • Audit all authentication method changes
  • Monitor for account takeover patterns
  • Alert on high volume of password resets
  • Consider time-limited assignments via PIM
  • Verify identity through multiple channels

Official Microsoft Learn documentation →

Open the interactive RBACMap →