Microsoft Entra ID · Remaining Built-in Roles
Password Administrator
Can reset passwords for non-administrators. Most limited password reset role without additional service health or support ticket access.
Scope: Password reset for non-admin users only - most restrictive password role
Permissions
- Password Reset - Reset passwords for non-admin users
- Admin Center - Read admin center properties
- Limitation - Cannot reset passwords for any admin roles
- Limitation - Cannot invalidate refresh tokens
- Limitation - Cannot manage authentication methods
- Limitation - Cannot access BitLocker recovery keys
- Limitation - Cannot create support tickets
Common use cases
- Limited helpdesk password operations
- Minimal privilege password reset delegation
- Self-service password reset backup
- Delegated password reset in specific scenarios
- Temporary staff with password reset needs
Best practices
- Use when minimal password reset privilege needed
- Consider Helpdesk Admin for broader helpdesk needs
- Implement identity verification before resets
- Document all password reset operations
- Train on social engineering prevention
- Use secure channels for password delivery
- Consider time-limited assignments via PIM
Security considerations
- Most limited password role available
- Cannot reset admin passwords
- Cannot invalidate sessions (use Helpdesk Admin if needed)
- Audit all password reset operations
- Lower risk than Helpdesk or Authentication Admin
- Consider PIM for just-in-time access