I have created some limited administrators in my Azure Active Directory. These should only be able to manage certain users. For this I added the users that should be managed to an administative unit and gave the administrators the "User Adminsitrator" role for the administrative unit. They can now edit/ manage all aspects of the users as intended. However, they cannot delete the users.
This should be possible. Here is the description of the user administrator role from Microsoft:
"Users with this role can create and manage all aspects of users and groups. Additionally, this role includes the ability to manage support tickets and monitors service health. Some restrictions apply. For example, this role does not allow deleting a global administrator. User account administrators can change passwords for users, helpdesk administrators, and other user account administrators only".
The users in the administrative unit are of course not administrators.
If I assign the administrators the "user administrator" role for the whole AAD tenant, then they can delete users.
Here Microsoft also clearly describes that with this role you should have the right to delete users: https://docs.microsoft.com/de-de/azure/active-directory/roles/permissions-reference#user-administrator
Does anyone understand why this role does not work properly anymore if you assign it to an administrative unit?
Thanks in advance