Microsoft Entra ID · Remaining Built-in Roles
Privileged Authentication Administrator
Can set or reset any authentication method (including passwords) for any user, including Global Administrators. This is one of the highest-privilege roles.
Scope: Authentication management for ALL users including Global Administrators
Permissions
- Auth Methods - Update auth methods for all users
- Auth Methods - Create auth methods for all users
- Auth Methods - Delete auth methods for all users
- Auth Methods - Read auth method properties
- Certificates - Update certificate user IDs property
- User Properties - Update basic user properties
- User Management - Delete any user including admins
- User Management - Disable any user including admins
- User Management - Enable any user
- Session Management - Force sign-out for any user
- User Management - Update manager for users
- Password Reset - Reset passwords for ALL users including Global Admins
- User Recovery - Restore deleted users
- UPN Management - Update UPN for any user
- User Recovery - Restore soft-deleted users
- Support Tickets - Create and manage Azure support tickets
- Support Tickets - Create and manage Microsoft 365 support tickets
Common use cases
- Emergency password resets for compromised Global Admin accounts
- Resetting MFA for executives locked out of their accounts
- Managing authentication for highly-privileged admin accounts
- Incident response requiring credential reset for any user
- Disabling compromised accounts across all privilege levels
- Managing certificate-based authentication for admins
- Forcing sign-out for suspected compromised admin sessions
- Recovery scenarios when Global Admin is unavailable
Best practices
- Limit to 2-3 people maximum - extremely privileged
- ALWAYS use PIM eligible assignment, never permanent active
- Require multi-person approval for activation
- Require phishing-resistant MFA for activation
- Set maximum activation duration to 2 hours
- Require detailed justification for every activation
- Enable alerts for all password resets performed
- Document every action taken while role is active
- Consider requiring break-glass procedure to activate
- Review eligible assignments monthly
- Audit all authentication changes made
- Use only for high-privilege user scenarios
- Coordinate with Security Operations for any use
Security considerations
- CRITICAL: Can reset password for Global Administrator accounts
- Can effectively take over any account in the organization
- Can reset MFA effectively bypassing second factor
- Can delete or disable any user including Global Admins
- Compromise of this role equals complete identity compromise
- Should be treated with same care as Global Administrator
- All actions should be logged and monitored in real-time
- Consider requiring video recording of sessions
- Can disable accounts needed for business operations
- Can reset authentication for emergency access accounts
- Monitor for any credential changes to privileged accounts
- Consider two-person integrity for any activation
- May be needed for recovery but creates significant risk
Common questions
When should I assign the Privileged Authentication Administrator role?
Assign Privileged Authentication Administrator when you need to: Emergency password resets for compromised Global Admin accounts; Resetting MFA for executives locked out of their accounts; Managing authentication for highly-privileged admin accounts; Incident response requiring credential reset for any user; and Disabling compromised accounts across all privilege levels. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Privileged Authentication Administrator role do?
The Privileged Authentication Administrator role grants permissions including: Auth Methods - Update auth methods for all users; Auth Methods - Create auth methods for all users; Auth Methods - Delete auth methods for all users; Auth Methods - Read auth method properties; Certificates - Update certificate user IDs property; and User Properties - Update basic user properties. See the Permissions section above for the full list.
What are the security risks of the Privileged Authentication Administrator role?
Key considerations when assigning Privileged Authentication Administrator: CRITICAL: Can reset password for Global Administrator accounts; Can effectively take over any account in the organization; Can reset MFA effectively bypassing second factor; and Can delete or disable any user including Global Admins. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.