Assigning the User Administrator admin role in Azure AD
User management is usually assigned to helpdesk resources, and not a global admin. This recipe outlines the steps to assigning user management admin roles to users. This role provides its members an appropriate level of permission to manage users, but not all the access and abilities granted to the global admin role. Let's assign the User Administrator admin role to a user.
You'll need access to Azure AD and the Global administrator or Privileged Role administrator role to assign other admin roles.
How to do it…
- Go to Azure AD at https://aad.portal.azure.com.
- Select Azure Active Directory from the left navigation menu:
- Select Roles and administrators from beneath the Manage header:
- Search or scroll the list until you locate User administrator, then select it:
- Select Add assignments:
- Select each shared service account or individual user you want added to this role group. The search bar can help find specific accounts more quickly. When finished, select Add:
- You may now exit Azure AD:
How it works…
You've just used Azure AD to assign the User Administrator admin role. Users and accounts assigned to the user management role can reset passwords, create and manage users and groups, filter and manage service requests, and monitor service health. Azure AD is the preferred method of assigning roles because you can assign to multiple accounts at once. As you'll see in the next recipe, the Microsoft 365 Admin Center only allows one account to be assigned at a time.
Use shared service accounts (for example,
[email protected]) to minimize the administrative tasks involved during employee turnover and onboarding.
- Learn more about this role, and all others available in Azure AD, at https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles.