Helpdesk admin is the least privileged role to invalidate refresh tokens of non-admins; password admin does not have permissions for it.

Confirmed that password administrators do not have permissions to invalidate refresh tokens of non-admins by: 

1. Document : https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#password-administrator.
The action needed to invalidate refresh tokens of non-admins is "microsoft.directory/users/invalidateAllRefreshTokens." 
As shown in the document above (and also confirmed via role descriptions), password administrators do not have this action. 

2. Per tests in the lab. If password administrator tries to either /revokeSignInSessions or /invalidateallrefreshtokens per following documents, 403 "no sufficient privileges" is returned. 
https://learn.microsoft.com/en-us/graph/api/user-invalidateallrefreshtokens?view=graph-rest-beta&tabs=http
https://learn.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http

--------------------- sample returned error ---------------------
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Access to invalidate refresh tokens operation is denied.",
--------------------- sample returned error ---------------------

Following is the list of roles with "microsoft.directory/users/invalidateAllRefreshTokens" permission: 
Authentication Administrator
Directory Writers
Helpdesk Admin
Partner Tier1 Support
Partner Tier2 Support
Privileged Authentication Administrator
User Administrator
Global Administrator

Among the roles above, Helpdesk Administrator would be the least privileged per following document. 
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#who-can-reset-passwords

Author: yukieryu

articles/active-directory/roles/delegate-by-task.md

@@ -387,7 +387,7 @@ You can further restrict permissions by assigning roles at smaller scopes or by
 > | Create user | [User Administrator](permissions-reference.md#user-administrator) |  |
 > | Delete users | [User Administrator](permissions-reference.md#user-administrator) |  |
 > | Invalidate refresh tokens of limited admins | [User Administrator](permissions-reference.md#user-administrator) |  |
-> | Invalidate refresh tokens of non-admins | [Password Administrator](permissions-reference.md#password-administrator) | [User Administrator](permissions-reference.md#user-administrator) |
+> | Invalidate refresh tokens of non-admins | [Helpdesk Administrator](permissions-reference.md#helpdesk-administrator) | [User Administrator](permissions-reference.md#user-administrator) |
 > | Invalidate refresh tokens of privileged admins | [Privileged Authentication Administrator](permissions-reference.md#privileged-authentication-administrator) |  |
 > | Read basic configuration | [Default user role](../fundamentals/users-default-permissions.md) |  |
 > | Reset password for limited admins | [User Administrator](permissions-reference.md#user-administrator) |  |