Back to blog
·Christian

How to Give HR Password Reset Access Without Global Admin

microsoft-365passwordshrdelegationsecurity

Sarah's locked out and her interview starts in 10 minutes. HR pages IT. IT is in a meeting. The interview happens without her.

This is the password-reset bottleneck, and it's the single most common reason organizations end up with eight people on Global Admin who shouldn't be. The fix isn't more Global Admins. It isn't even Microsoft's built-in Password Administrator role — which solves a different problem than the one HR actually has. The fix is a scoped, audited delegation layer that lets the people closest to the user do the reset themselves, safely.

Why password resets keep ending up with IT

Most organizations follow the same path:

  1. Default state: only Global Admins can reset passwords. Every reset is an IT ticket.
  2. Stress fracture: the ticket queue grows. Someone in HR or ops asks for admin access "just for the password thing."
  3. Workaround: IT grants Global Admin. Now HR can reset passwords. They can also delete users, modify conditional access, read any mailbox, and disable MFA for the entire tenant.
  4. Compliance call: auditor asks "who has Global Admin?" and the list has eight names on it, two of whom left the company.

Step 3 is the trap. The reason it keeps happening is that Microsoft's built-in admin roles aren't designed for the HR use case — they're designed for sub-categories of IT work. Password Administrator, for example, gives the role-holder the ability to reset any user's password — but it also requires them to navigate the Microsoft 365 admin center, an interface optimized for IT pros.

A non-IT user dropped into the admin center will either:

  • Get overwhelmed and file a ticket anyway (the bottleneck returns)
  • Click around until they find something dangerous (the security exposure)

Neither outcome is what you wanted.

What "safe HR password reset access" actually looks like

Safe delegation has four properties. Skip any of them and you've recreated the original problem in a different shape.

1. Scoped to the action. The HR coordinator should be able to reset a password — and nothing else. Not create users (that's a different role). Not assign licenses. Not modify groups. Just: pick a user, generate a new temp password, hand it off.

2. Scoped to the audience. A password reset doesn't need access to the Azure portal, the Exchange admin center, or Entra ID's role assignment screens. The interface the HR coordinator sees should contain one screen: the user list, with a "Reset password" button.

3. Audited automatically. Every reset gets logged with the actor (who did it), the target (whose password), the timestamp, and the method (random vs typed). The audit log is immutable — admins can read it, nobody can delete entries. When the auditor or security team asks "who reset Sarah's password last Tuesday?", you have the answer in seconds.

4. Revocable in one click. When the HR coordinator leaves, their access vanishes the moment IT removes them from the portal. No lingering tokens, no Entra ID role to forget about, no cleanup PowerShell script to run.

What Microsoft's Password Administrator role gets wrong

On paper, Password Administrator looks like the right role:

Password Administrators can reset passwords for non-administrators and Password Administrators.

In practice it falls short of "safe HR password reset" on three counts:

  • No interface scoping. The role still grants access to the M365 admin center — the same screens Global Admins see. Most HR coordinators will get lost or click something they shouldn't.
  • All-or-nothing user scope. A Password Administrator can reset any non-admin's password. If you want HR to handle Sales department resets but not Engineering, the built-in role can't do that. Administrative Units help in theory, but the UX makes them fragile in practice.
  • Audit log lives in Azure Monitor. The action is logged, but reviewing those logs requires either KQL fluency or a SIEM. Not a workflow your HR director or compliance team will actually use.

If the password reset is the only thing HR needs to do, and you're a small org with a single department's users to manage, Password Administrator can technically work. If you're managing more than that — or you want a clean delegation pattern that scales to other routine M365 tasks (onboarding, license management, group membership) — you're going to want a delegation layer that sits on top of the Graph API.

The pattern that actually works

A focused delegation portal that authenticates via OAuth (no stored credentials), exposes only the operations the delegate needs, and writes every action to an immutable audit log.

For password resets specifically:

HR coordinator opens portal → picks user → clicks "Reset password"
  → system calls Microsoft Graph passwordReset endpoint on coordinator's
    behalf using their token
  → temp password is auto-generated (no typing required, no weak passwords)
  → temp password is shown ONCE in the UI for the coordinator to share
    with the user via whatever channel they normally use
  → audit log records: actor=hr@yourcompany.com, target=sarah@yourcompany.com,
    action=password.reset, timestamp=2026-05-19T14:32:08Z

The whole flow takes 15-30 seconds. The HR coordinator never sees the Azure portal. The auto-generated password is strong by default (you can't accidentally set "Spring2026!"). And the immutable audit trail means the compliance question has an answer.

This is what UserDesk for M365 is built to provide. It uses Microsoft's standard OAuth flow — no agents to install, no stored credentials, no standing access to your tenant. Setup is a single Global Admin consent click, takes about 60 seconds, and then HR (or office coordinators, or team leads — whoever you want) can handle password resets themselves with full visibility for IT.

Related reading on the broader pattern: How to Safely Delegate Microsoft 365 User Management covers the role-tier architecture in depth, and Too Many Global Admins? explains why the alternative — just adding more Global Admins — is the worst answer to this problem.

Want to see it in action? The interactive demo lets you try the password reset workflow with sample data. No signup, no commitment. Click around for 2 minutes.

Keep reading

The Hidden Cost of Global Admin Roles in Microsoft 365

Every extra Global Admin in your M365 tenant costs real money — not in licensing, but in incident response time, compliance audit complexity, and breach impact when (not if) one of them gets phished.

Microsoft 365 Admin Roles Explained: Global vs User vs Helpdesk

Microsoft 365 has 60+ admin roles. Three of them — Global Admin, User Administrator, and Helpdesk Administrator — cover 90% of real-world use cases. Here's exactly what each one can and can't do.

Too Many Global Admins? Your Microsoft 365 Tenant Is a Breach Waiting to Happen

Every extra Global Admin in your M365 tenant is an attack surface. Here's why organizations end up with too many, and how to fix it without slowing your team down.

Newsletter

Get M365 management tips

Practical guides on delegation, security, and reducing IT overhead. No spam, unsubscribe anytime.

Try it yourself

See UserDesk work in 2 minutes.

Interactive demo with sample data — no signup, nothing touches a real tenant. When you're ready, connecting yours takes 60 seconds.

Try the demoOr connect your tenant