Assigning the User Administrator admin role in Azure AD
User management is usually assigned to helpdesk resources, and not a global admin. This recipe outlines the steps to assigning user management admin roles to users. This role provides its members an appropriate level of permission to manage users, but not all the access and abilities granted to the global admin role. Let's assign the User Administrator admin role to a user.
Getting ready
You'll need access to Azure AD and the Global administrator or Privileged Role administrator role to assign other admin roles.
How to do it…
- Go to Azure AD at https://aad.portal.azure.com.
- Select Azure Active Directory from the left navigation menu:
Figure 2.35 – Azure Active Directory highlighted in the left-hand navigation menu in the Azure AD admin center
- Select Roles and administrators from beneath the Manage header:
Figure 2.36 – Roles and administrators highlighted in the Manage section
- Search or scroll the list until you locate User administrator, then select it:
Figure 2.37 – User administrator role highlighted in Administrative roles search results
- Select Add assignments:
Figure 2.38 – Add assignments option in the Assignments screen of the User administrator role details
- Select each shared service account or individual user you want added to this role group. The search bar can help find specific accounts more quickly. When finished, select Add:
Figure 2.39 – Selected users being added to an admin role in Azure AD
- You may now exit Azure AD:
Figure 2.40 – The confirmation notification that appears once users are successfully assigned
How it works…
You've just used Azure AD to assign the User Administrator admin role. Users and accounts assigned to the user management role can reset passwords, create and manage users and groups, filter and manage service requests, and monitor service health. Azure AD is the preferred method of assigning roles because you can assign to multiple accounts at once. As you'll see in the next recipe, the Microsoft 365 Admin Center only allows one account to be assigned at a time.
Tip
Use shared service accounts (for example, helpdesk@natechamberlain.com) to minimize the administrative tasks involved during employee turnover and onboarding.
See also
- Learn more about this role, and all others available in Azure AD, at https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles.
