Microsoft Entra ID · Remaining Built-in Roles

User Administrator

Can create users and groups, and manage all aspects of users and groups, including resetting passwords for limited admins. This is a privileged role with significant scope.

Scope: Organization-wide user and group management (excluding high-privilege admin roles)

Permissions

  • User Management - Add users
  • User Management - Delete users
  • User Management - Disable users
  • User Management - Enable users
  • User Properties - Update basic properties on users
  • User Management - Update manager for users
  • Password Reset - Reset passwords for all users (limited admin scope)
  • User Properties - Update photo of users
  • UPN Management - Update User Principal Name
  • Licensing - Manage user licenses
  • Session Management - Force sign-out by invalidating refresh tokens
  • User Recovery - Restore deleted users
  • Guest Management - Invite guest users
  • Guest Management - Convert external to internal user
  • Group Management - Create Security and Microsoft 365 groups
  • Group Management - Delete groups (excluding role-assignable)
  • Group Properties - Update group properties
  • Group Membership - Update group membership
  • Group Ownership - Update group owners
  • Group Recovery - Restore deleted groups
  • Group Settings - Update group settings
  • Contacts - Create contacts
  • Contacts - Delete contacts
  • Entitlement - Manage entitlement management
  • Access Reviews - Manage group access reviews
  • Service Principals - Update service principal role assignments
  • OAuth - Manage OAuth 2.0 permission grants

Common use cases

  • HR-driven user lifecycle management (joiner/mover/leaver)
  • IT helpdesk user support and password resets
  • Group administration and membership management
  • Password reset operations for end users and limited admins
  • User onboarding and provisioning workflows
  • License assignment and management
  • Guest user invitation and management
  • User property updates (job title, department, manager)
  • Group creation for access management
  • User account recovery and restoration
  • Bulk user operations and imports
  • Self-service group management delegation
  • Entitlement management configuration

Best practices

  • Consider using Administrative Units for scoped access
  • Use with self-service password reset to reduce workload
  • Implement group-based licensing for efficiency
  • Use dynamic groups where appropriate
  • Consider PIM for just-in-time access
  • Delegate group ownership to business units
  • Implement naming conventions for users and groups
  • Use Azure AD B2B for guest management
  • Enable self-service group management where appropriate
  • Configure user and group provisioning from HR systems
  • Implement access reviews for group membership
  • Use automation for routine user lifecycle tasks
  • Set up alerts for bulk user changes
  • Document standard user provisioning procedures
  • Review assigned users quarterly for necessity

Security considerations

  • This is a privileged role - can reset passwords for many users
  • Can reset passwords for Helpdesk Admins, Password Admins, and some other roles
  • Cannot reset passwords for Global Admin, Privileged Role Admin, or Privileged Auth Admin
  • Can create backdoor accounts if not monitored
  • Can invite guest users potentially bypassing controls
  • Can modify group memberships affecting access to resources
  • Can delete users and groups causing disruption
  • Monitor for bulk user creation or deletion
  • Alert on password resets for admin accounts
  • Consider using Administrative Units to limit scope
  • Implement Just-in-Time access via PIM
  • Can assign licenses potentially incurring costs
  • Review guest invitations periodically
  • Monitor for privilege escalation via group membership

Official Microsoft Learn documentation →

Open the interactive RBACMap →