When someone is a Delegated (Designated) Admin, they should not have full control over Users. At present, a Delegated Admin (DA) can elevate an existing User to an DA role, as well as remove a User from their DA role. This should only be controlled by a Admin will full rights across the tenant, and it's a security issue to have this loophole in place.