Microsoft Entra ID · Remaining Built-in Roles

Privileged Authentication Administrator

Can set or reset any authentication method (including passwords) for any user, including Global Administrators. This is one of the highest-privilege roles.

Scope: Authentication management for ALL users including Global Administrators

Permissions

  • Auth Methods - Update auth methods for all users
  • Auth Methods - Create auth methods for all users
  • Auth Methods - Delete auth methods for all users
  • Auth Methods - Read auth method properties
  • Certificates - Update certificate user IDs property
  • User Properties - Update basic user properties
  • User Management - Delete any user including admins
  • User Management - Disable any user including admins
  • User Management - Enable any user
  • Session Management - Force sign-out for any user
  • User Management - Update manager for users
  • Password Reset - Reset passwords for ALL users including Global Admins
  • User Recovery - Restore deleted users
  • UPN Management - Update UPN for any user
  • User Recovery - Restore soft-deleted users
  • Support Tickets - Create and manage Azure support tickets
  • Support Tickets - Create and manage Microsoft 365 support tickets

Common use cases

  • Emergency password resets for compromised Global Admin accounts
  • Resetting MFA for executives locked out of their accounts
  • Managing authentication for highly-privileged admin accounts
  • Incident response requiring credential reset for any user
  • Disabling compromised accounts across all privilege levels
  • Managing certificate-based authentication for admins
  • Forcing sign-out for suspected compromised admin sessions
  • Recovery scenarios when Global Admin is unavailable

Best practices

  • Limit to 2-3 people maximum - extremely privileged
  • ALWAYS use PIM eligible assignment, never permanent active
  • Require multi-person approval for activation
  • Require phishing-resistant MFA for activation
  • Set maximum activation duration to 2 hours
  • Require detailed justification for every activation
  • Enable alerts for all password resets performed
  • Document every action taken while role is active
  • Consider requiring break-glass procedure to activate
  • Review eligible assignments monthly
  • Audit all authentication changes made
  • Use only for high-privilege user scenarios
  • Coordinate with Security Operations for any use

Security considerations

  • CRITICAL: Can reset password for Global Administrator accounts
  • Can effectively take over any account in the organization
  • Can reset MFA effectively bypassing second factor
  • Can delete or disable any user including Global Admins
  • Compromise of this role equals complete identity compromise
  • Should be treated with same care as Global Administrator
  • All actions should be logged and monitored in real-time
  • Consider requiring video recording of sessions
  • Can disable accounts needed for business operations
  • Can reset authentication for emergency access accounts
  • Monitor for any credential changes to privileged accounts
  • Consider two-person integrity for any activation
  • May be needed for recovery but creates significant risk

Official Microsoft Learn documentation →

Open the interactive RBACMap →