Granular Admin Permissions

I'd like more granular permissions for Admin Rights. Currently, to do anything admin-related (add/remove subgroups, update security users, change roles, etc) you have to give them the keys to the kingdom. I'd like to be able to separate what roles our team has. For example, Support should be able to reset passwords or update 2FA for Remote Workforce users, but shouldn't be able to edit configuration settings or touch Roles. Project/Onboarding team should be able to edit subgroups and add users, but shouldn't be able to touch other back-end configuration settings and change Roles. Right now, it's either give them access to everything, or have our few members with Admin rights get pulled in for anything that comes up for everything, even simple things. Thanks!