Microsoft Entra ID · Remaining Built-in Roles
Password Administrator
Can reset passwords for non-administrators. Most limited password reset role without additional service health or support ticket access.
Scope: Password reset for non-admin users only - most restrictive password role
Permissions
- Password Reset - Reset passwords for non-admin users
- Admin Center - Read admin center properties
- Limitation - Cannot reset passwords for any admin roles
- Limitation - Cannot invalidate refresh tokens
- Limitation - Cannot manage authentication methods
- Limitation - Cannot access BitLocker recovery keys
- Limitation - Cannot create support tickets
Common use cases
- Limited helpdesk password operations
- Minimal privilege password reset delegation
- Self-service password reset backup
- Delegated password reset in specific scenarios
- Temporary staff with password reset needs
Best practices
- Use when minimal password reset privilege needed
- Consider Helpdesk Admin for broader helpdesk needs
- Implement identity verification before resets
- Document all password reset operations
- Train on social engineering prevention
- Use secure channels for password delivery
- Consider time-limited assignments via PIM
Security considerations
- Most limited password role available
- Cannot reset admin passwords
- Cannot invalidate sessions (use Helpdesk Admin if needed)
- Audit all password reset operations
- Lower risk than Helpdesk or Authentication Admin
- Consider PIM for just-in-time access
Common questions
When should I assign the Password Administrator role?
Assign Password Administrator when you need to: Limited helpdesk password operations; Minimal privilege password reset delegation; Self-service password reset backup; Delegated password reset in specific scenarios; and Temporary staff with password reset needs. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Password Administrator role do?
The Password Administrator role grants permissions including: Password Reset - Reset passwords for non-admin users; Admin Center - Read admin center properties; Limitation - Cannot reset passwords for any admin roles; Limitation - Cannot invalidate refresh tokens; Limitation - Cannot manage authentication methods; and Limitation - Cannot access BitLocker recovery keys. See the Permissions section above for the full list.
What are the security risks of the Password Administrator role?
Key considerations when assigning Password Administrator: Most limited password role available; Cannot reset admin passwords; Cannot invalidate sessions (use Helpdesk Admin if needed); and Audit all password reset operations. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.