Microsoft Entra ID · Remaining Built-in Roles

Password Administrator

Can reset passwords for non-administrators. Most limited password reset role without additional service health or support ticket access.

Scope: Password reset for non-admin users only - most restrictive password role

Permissions

  • Password Reset - Reset passwords for non-admin users
  • Admin Center - Read admin center properties
  • Limitation - Cannot reset passwords for any admin roles
  • Limitation - Cannot invalidate refresh tokens
  • Limitation - Cannot manage authentication methods
  • Limitation - Cannot access BitLocker recovery keys
  • Limitation - Cannot create support tickets

Common use cases

  • Limited helpdesk password operations
  • Minimal privilege password reset delegation
  • Self-service password reset backup
  • Delegated password reset in specific scenarios
  • Temporary staff with password reset needs

Best practices

  • Use when minimal password reset privilege needed
  • Consider Helpdesk Admin for broader helpdesk needs
  • Implement identity verification before resets
  • Document all password reset operations
  • Train on social engineering prevention
  • Use secure channels for password delivery
  • Consider time-limited assignments via PIM

Security considerations

  • Most limited password role available
  • Cannot reset admin passwords
  • Cannot invalidate sessions (use Helpdesk Admin if needed)
  • Audit all password reset operations
  • Lower risk than Helpdesk or Authentication Admin
  • Consider PIM for just-in-time access

Common questions

When should I assign the Password Administrator role?

Assign Password Administrator when you need to: Limited helpdesk password operations; Minimal privilege password reset delegation; Self-service password reset backup; Delegated password reset in specific scenarios; and Temporary staff with password reset needs. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Password Administrator role do?

The Password Administrator role grants permissions including: Password Reset - Reset passwords for non-admin users; Admin Center - Read admin center properties; Limitation - Cannot reset passwords for any admin roles; Limitation - Cannot invalidate refresh tokens; Limitation - Cannot manage authentication methods; and Limitation - Cannot access BitLocker recovery keys. See the Permissions section above for the full list.

What are the security risks of the Password Administrator role?

Key considerations when assigning Password Administrator: Most limited password role available; Cannot reset admin passwords; Cannot invalidate sessions (use Helpdesk Admin if needed); and Audit all password reset operations. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →