Azure User Admin right to delete guest users

Question

I have User Admin role assigned and just noticed that am not able to delete external users. the user admin has right: microsoft.directory/users/delete and i guess that is not enough. the global admin has right: microsoft.directory/users/allProperties/allTasks

Create and delete users, and read and update all properties.

Do you know if there is any other role that grants the right to delete external users? or am i missing here something?

Answer 1

I have User Admin role assigned and just noticed that am not able to delete external users.

You can check user admin roles here. As per document as shown in below image for this User admin role Delete or Restore users is not applicable.

As per your requirement Global Administrator has this delete user access privilege. Here you can go through Global Administrator rights.

there is any other role that grants the right to delete external users?

• AFAIK the Global Administrator role is the only built-in role in Azure AD that grants the ability ** to delete external users but If you do not want to assign the Global Administrator role but still you want to be able to delete external users, you can create a custom role and assign the "microsoft.directory/users/delete" permission to it.

• In Azure You can create custom role in different ways like ~Using Azure portal. ~Using PowerShell ~Using CLI

• To create custom role using portal check your custom role is enabled or disabled as shown in below image Select your subscription or Resource group >> Access control >> +Add >> Add Custom role.

• Creating Custom role is bit complicated if you are ok with custom role follow these detailed steps in create custom role MS Document using Azure Portal.
• Create Custom role Using PowerShell