To delegate administrative permissions over a specific subset of users, such as executives, while adhering to the principle of least privilege, an administrative unit (AU) is the appropriate object type. An AU acts as a container to scope the application of roles.

The Authentication Administrator role is the most precise choice because it grants permissions to both reset passwords and manage multi-factor authentication (MFA) settings for users within its assigned scope. Other roles like Helpdesk Administrator or Password Administrator are insufficient as they can reset passwords but cannot manage MFA, failing to meet all the requirements of the dedicated support team.

Microsoft Entra ID Documentation, "Administrative units in Microsoft Entra ID." This document explicitly states, "you can use administrative units to delegate administrative permissions over subsets of users... For example, you could use administrative units to delegate the Helpdesk Administrator role to a regional support specialist, so they can manage users only in the region that they support." This directly supports using AUs for scoped administration.

Microsoft Entra ID Documentation, "Microsoft Entra built-in roles," Section: "Authentication Administrator." The description for this role confirms that users with this role can "require users to re-register for existing non-password credentials (for example, MFA or FIDO)... Can also reset passwords for non-administrators and some roles." This validates its suitability for both required tasks.

Microsoft Entra ID Documentation, "Microsoft Entra built-in roles," Section: "Helpdesk Administrator." The documentation clarifies that this role can "Reset passwords for non-administrators," but it does not list any permissions related to managing MFA settings, making it an incorrect choice.