Office 365 Password Admin: Remove Write Permission to Exchange & Skype Admin Center
Currently the role "Password Administrator" in Office 365 restricts access to the SharePoint Admin Center, but allows access to the Exchange & Skype for Business Admin Centers as well as write permission to certain settings there. I would argue that a majority of the organisations assigning "Password Administrator" to users would not like to have them fiddling with Exchange Online Settings.
I also seems to allow access to Azure AD Admin Center but I have not tested this.
Please follow POLP and restrict access for Password Admins to ONLY reset passwords, nothing else.
Olie Denyer commented
User Management role has the same rights as the Skype Admin role... Why oh why would you do this. I do not want users normally assigned this role to be able to make global configuration changes to Skype. Please provide more granular RBAC for O365!
Please remove the ability for "Password Administrators" to run Message Trace reports! A password email admin should not be able to run a report that shows him all the subject lines of every email in the whole organization!!!