Microsoft Entra ID · Remaining Built-in Roles
Helpdesk Administrator
Can reset passwords for non-administrators and Helpdesk Administrators. Cannot manage service health, support tickets, or advanced user properties.
Scope: Password reset for non-admin users and other Helpdesk Administrators
Permissions
- BitLocker - Read BitLocker recovery keys
- Session Management - Invalidate user refresh tokens
- Password Reset - Reset passwords for non-admin users
- Service Health - Manage Azure service health
- Support Tickets - Create and manage support tickets
- M365 Health - Manage M365 service health
- M365 Support - Create M365 support tickets
- Admin Center - Read admin center properties
- Password Reset - Reset passwords for other Helpdesk Admins
- User Profiles - View user profiles and basic properties
- Limitation - Cannot reset passwords for other admin roles
Common use cases
- First-line helpdesk password support
- Self-service password reset backup
- Basic user support operations
- BitLocker recovery key retrieval
- Session invalidation for compromised accounts
- Service health monitoring and ticket creation
- User lockout resolution
- Temporary password provisioning
Best practices
- Standard role for Tier 1 helpdesk staff
- Use Authentication Admin for MFA support needs
- Implement self-service password reset to reduce tickets
- Verify user identity before resetting passwords
- Document all password reset operations
- Train on social engineering attack prevention
- Use secure channels for password communication
- Consider time-limited assignments via PIM
- Monitor for high-volume reset activity
- Escalate suspicious reset requests
Security considerations
- Cannot reset passwords for admin role holders
- Lower privilege than Authentication Administrator
- Audit all password reset operations
- Monitor for account takeover patterns
- Alert on unusual reset activity
- Verify identity through established procedures
- Consider PIM for just-in-time access
- BitLocker key access should be monitored