why can a user in a ad with organizational role "User" change the password of other users

Hello,

I wrote myself a little user management tool using the GraphApi (Microsoft.Azure.ActiveDirectory.GraphClient). If I let the tool sign in with a user that only has the role user assigned:

it cannot create or delete users, but assign new passwords to other users with the following code:

            List<IUser> users = await getUsers().ConfigureAwait(false);
            IUser userToModify = users.Find(user => user.UserPrincipalName == CurrentUser.UserPrincipalName);

            userToModify.PasswordProfile = new PasswordProfile
            {
                Password = password,
                ForceChangePasswordNextLogin = false,
            };
            userToModify.PasswordPolicies = "DisablePasswordExpiration, DisableStrongPassword";

            await userToModify.UpdateAsync().ConfigureAwait(false);

Below you find the code to authenticate against ad:

        /// <summary>
        /// Async task to acquire token for User.
        /// </summary>
        /// <returns>Token for user.</returns>
        public static async Task<string> AcquireTokenAsyncForUser()
        {
            return GetTokenForUser();
        }

        /// <summary>
        /// Get Token for User.
        /// </summary>
        /// <returns>Token for user.</returns>
        public static string GetTokenForUser()
        {
            var redirectUri = new Uri("https://localhost");
            AuthenticationContext authenticationContext = new AuthenticationContext(Constants.AuthString, false);
            if (TokenForUser == null)
            {
                if (Configuration.AuthenticationMode == AuthenticationMode.ProvidedCredentials)
                {
                    var userCredentials = new UserCredential(Configuration.UserName, Configuration.Password);
                    AuthenticationResult userAuthnResult = authenticationContext.AcquireToken(Constants.ResourceUrl,
                        Constants.ClientIdForUserAuthn, userCredentials);
                    TokenForUser = userAuthnResult.AccessToken;
                }
                else if (Configuration.AuthenticationMode == AuthenticationMode.CredentialsDialog)
                {
                    AuthenticationResult userAuthnResult = authenticationContext.AcquireToken(Constants.ResourceUrl,
                        Constants.ClientIdForUserAuthn, redirectUri, PromptBehavior.Always);
                    TokenForUser = userAuthnResult.AccessToken;
                }
                else
                    throw new InvalidOperationException("Invalid mode: " + Configuration.AuthenticationMode);
            }
            return TokenForUser;
        }

        /// <summary>
        /// Get Active Directory Client for User.
        /// </summary>
        /// <returns>ActiveDirectoryClient for User.</returns>
        public static ActiveDirectoryClient GetActiveDirectoryClientAsUser()
        {
            Uri servicePointUri = new Uri(Constants.ResourceUrl);
            Uri serviceRoot = new Uri(servicePointUri, Constants.TenantId);
            ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot,
                async () => await AcquireTokenAsyncForUser());
            return activeDirectoryClient;
        }

Any idea how that can be?