What can the Office 365 “Password Administrator” / “Helpdesk Administrator” role do?

As stated in my previous blog article ‘What can the Office 365 “Service Administrator” / “Service Support Administrator” role do?‘, Office 365 tenant owners often use this role to delegate common administrator tasks in Office 365. The Microsoft documentation for the Office 365 Admin Roles is here:  https://support.office.com/en-ie/article/about-office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d.

So what exactly can a user with the Password Administrator Role do?

Note that the equivalent Azure AD administrator role name is Helpdesk Administrator.  This role name in the Microsoft and Azure AD Graph API’s. It is described in the Azure AD admin roles documentation as being able to:

Password Administrator / Helpdesk Administrator: Users with this role can reset passwords, manage service requests, and monitor service health. Password administrators can reset passwords only for users and other password administrators.

Although this role is described as being limited to those activities, in reality, in has access to more in the Office 365 Admin Portal, and the MSOnline PowerShell module.

In the Office 365 Portal, Password Administrator / Helpdesk Administrator has access to the following:

  • Can view user listings and user specific information (such as administrator role, license information, phone number)
  • Only the password can be changed on the user object
  • Can view groups and group information (such as owner and members)
  • Can view support requests and create new ones
  • Can only view basic Security & compliance reports
  • Can view Service Health and tenant Message Center messages

They can launch the Azure AD Admin Center (Dashboard).  They are limited to view access but can see Azure AD tenant level settings such as whether users can self register applications and device settings.  Note: there is an Azure AD settings which can restrict access to the Azure AD administrator portal as shown here:

Similarly, there are some Office 365 Application Admin Centers (portals) that can be launched, and some that cannot. A general rule here is that a although user with this administrator role can launch a particular admin center, they are confined to view (read) access, and cannot make changes.

A Password Administrator can Launch the Exchange admin center

Surprisingly, a Password Administrator / Helpdesk Administrator can launch the Exchange Online Administrator portal.  The user is limited to read operations, can can:

  • Can view mailbox information (a listing of mailboxes and per mailbox information)
  • Exchange Administrator roles
  • Basically all of the data in the Exchange Admin center is available for reading

A Password Administrator can Launch the Skype for Business admin center

Much like the Exchange Admin Center most access is read-only including access.

What is not a good experience, is when logged into the  Skype for Business admin center as a Password Administrator / Helpdesk Administrator, the portal allows the user to access the edit dialog’s, but then does enforce read-only access when edit’s are saved as shown here when a new “emergency location” was attempted to be added.

A Password Administrator can Launch the Security and Compliance Center

Similarly to the Skype and Exchange Admin Center most access is read-only including access to Anti-malware, ATP safe attachments, ATP Safelinks, SPAM settings, and Reports.

Access to the SharePoint Online Admin Center is Disabled

A Password Administrator cannot launch the SPO admin center.

The OneDrive for Business Admin Center is Disabled

A Password Administrator cannot launch the OneDrive admin center. They will get an error message like this:


Leave a Reply