| title | Privileged Authentication Administrator |
|---|---|
| description | Privileged Authentication Administrator |
| ms.topic | include |
| ms.date | 01/26/2026 |
| ms.custom | include file |
This is a privileged role. Assign the Privileged Authentication Administrator role to users who need to do the following:
- Set or reset any authentication method (including passwords) for any user, including Global Administrators.
- Delete or restore any users, including Global Administrators. For more information, see Who can perform sensitive actions.
- Force users to re-register against existing non-password credential (such as MFA or FIDO2) and revoke remember MFA on the device, prompting for MFA on the next sign-in of all users.
- Update sensitive properties for all users. For more information, see Who can perform sensitive actions.
- Create and manage support tickets in Azure and the Microsoft 365 admin center.
- Configure certificate authorities with a PKI-based trust store (preview)
Users with this role cannot do the following:
- Cannot manage per-user MFA in the legacy MFA management portal.
[!INCLUDE authentication-table-include]
Important
Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Microsoft Entra ID. Changing the credentials of a user may mean the ability to assume that user's identity and permissions. For example:
- Application Registration and Enterprise Application owners, who can manage credentials of apps they own. Those apps may have privileged permissions in Microsoft Entra ID and elsewhere not granted to Authentication Administrators. Through this path an Authentication Administrator can assume the identity of an application owner and then further assume the identity of a privileged application by updating the credentials for the application.
- Azure subscription owners, who may have access to sensitive or private information or critical configuration in Azure.
- Security Group and Microsoft 365 group owners, who can manage group membership. Those groups may grant access to sensitive or private information or critical configuration in Microsoft Entra ID and elsewhere.
- Administrators in other services outside of Microsoft Entra ID like Exchange Online, Microsoft 365 Defender portal, and Microsoft Purview portal, and human resources systems.
- Non-administrators like executives, legal counsel, and human resources employees who may have access to sensitive or private information.
[!div class="mx-tableFixed"]
Actions Description microsoft.azure.serviceHealth/allEntities/allTasks Read and configure Azure Service Health microsoft.azure.supportTickets/allEntities/allTasks Create and manage Azure support tickets microsoft.directory/deletedItems.users/restore Restore soft deleted users to original state microsoft.directory/users/authenticationMethods/basic/update Update basic properties of authentication methods for users microsoft.directory/users/authenticationMethods/create Update authentication methods for users microsoft.directory/users/authenticationMethods/delete Delete authentication methods for users microsoft.directory/users/authenticationMethods/standard/read Read standard properties of authentication methods for users microsoft.directory/users/authorizationInfo/update Update the multivalued Certificate user IDs property of users microsoft.directory/users/basic/update Update basic properties on users microsoft.directory/users/delete Delete users microsoft.directory/users/disable Disable users microsoft.directory/users/enable Enable users microsoft.directory/users/invalidateAllRefreshTokens Force sign-out by invalidating user refresh tokens microsoft.directory/users/manager/update Update manager for users microsoft.directory/users/password/update Reset passwords for all users microsoft.directory/users/restore Restore deleted users microsoft.directory/users/userPrincipalName/update Update User Principal Name of users microsoft.office365.serviceHealth/allEntities/allTasks Read and configure Service Health in the Microsoft 365 admin center microsoft.office365.supportTickets/allEntities/allTasks Create and manage Microsoft 365 service requests microsoft.office365.webPortal/allEntities/standard/read Read basic properties on all resources in the Microsoft 365 admin center