| title | Authentication Administrator |
|---|---|
| description | Authentication Administrator |
| ms.topic | include |
| ms.date | 01/26/2026 |
| ms.custom | include file |
This is a privileged role. Assign the Authentication Administrator role to users who need to do the following:
- Set or reset any authentication method (including passwords) for nonadministrators and some roles. For a list of the roles that an Authentication Administrator can read or update authentication methods, see Who can reset passwords.
- Require users who are nonadministrators or assigned to some roles to re-register against existing nonpassword credentials (for example, MFA or FIDO), and can also revoke remember MFA on the device, which prompts for MFA on the next sign-in.
- Manage MFA settings in the legacy MFA management portal.
- Perform sensitive actions for some users. For more information, see Who can perform sensitive actions.
- Create and manage support tickets in Azure and the Microsoft 365 admin center.
Users with this role cannot do the following:
- Cannot change the credentials or reset MFA for members and owners of a role-assignable group.
- Cannot manage Hardware OATH tokens.
[!INCLUDE authentication-table-include]
Important
Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Microsoft Entra ID. Changing the credentials of a user may mean the ability to assume that user's identity and permissions. For example:
- Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Microsoft Entra ID and elsewhere not granted to Authentication Administrators. Through this path, an Authentication Administrator can assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
- Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
- Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Microsoft Entra ID and elsewhere.
- Administrators in other services outside of Microsoft Entra ID like Exchange Online, Microsoft Defender XDR portal, Microsoft Purview portal, and human resources systems.
- Nonadministrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.
[!div class="mx-tableFixed"]
Actions Description microsoft.azure.serviceHealth/allEntities/allTasks Read and configure Azure Service Health microsoft.azure.supportTickets/allEntities/allTasks Create and manage Azure support tickets microsoft.directory/deletedItems.users/restore Restore soft deleted users to original state microsoft.directory/users/authenticationMethods/basic/update Update basic properties of authentication methods for users microsoft.directory/users/authenticationMethods/create Update authentication methods for users microsoft.directory/users/authenticationMethods/delete Delete authentication methods for users microsoft.directory/users/authenticationMethods/standard/restrictedRead Read standard properties of authentication methods that do not include personally identifiable information for users microsoft.directory/users/basic/update Update basic properties on users microsoft.directory/users/delete Delete users microsoft.directory/users/disable Disable users microsoft.directory/users/enable Enable users microsoft.directory/users/invalidateAllRefreshTokens Force sign-out by invalidating user refresh tokens microsoft.directory/users/manager/update Update manager for users microsoft.directory/users/password/update Reset passwords for all users microsoft.directory/users/restore Restore deleted users microsoft.directory/users/userPrincipalName/update Update User Principal Name of users microsoft.office365.serviceHealth/allEntities/allTasks Read and configure Service Health in the Microsoft 365 admin center microsoft.office365.supportTickets/allEntities/allTasks Create and manage Microsoft 365 service requests microsoft.office365.webPortal/allEntities/standard/read Read basic properties on all resources in the Microsoft 365 admin center