Support

I mean, you have already figured it out. You need to disable the "Disable creating / editing users from the frontend" feature.

If you go to Components, Admin Tools, Web Application Firewall, Configure WAF, Hardening Options tab and click on the Toggle Inline Help toolbar button you will see that the description for this feature reads the following:

You should normally be unable to create a new user with administrative backend login privileges from the public frontend. When this option is enabled it will treat attempts to create this kind of accounts as hacking attempts and block them from executing. This addresses some of the most notorious zero day attacks in Joomla! which took place between 2015 and 2016.

So, yup, enabling this feature will prevent you from creating or editing any use account with backend access from the frontend of the site. When you use the Forgot Password feature what happens is that you are indeed editing the user. The first step edits the user to set them as unauthorised, the second step reverses that change and changes their password. These are user edits, and they are blocked.

This is not a bug, it's a desirable feature. If this feature is disabled and someone knows the email address of your admin user they can keep triggering the password reset, essentially blocking the admin user from accessing the site (since they will be perpetually unauthorised). This can be exploited by an attacker to lock out your regular admins while they are attacking the backend of your site.

Moreover, this feature blocks the kind of unauthorised user changes which were possible back in 2015 with a widely exploited zero-day vulnerability in Joomla!. If Joomla!, or a third party extension (and it's happened recently with a number of third party extensions!), has a vulnerability which allows an unauthorised user to change your admin user's email, user group assignments, or blocked status this feature will prevent attackers from exploiting the vulnerability, protecting your site.

If you absolutely want self-service password resets for backend users -- a practice that is widely considered VERY INSECURE -- you can of course disable this feature in Admin Tools. Just keep in mind that what you are doing may open your site to attack if there is an exploitable vulnerability affecting user account changes either in core Joomla! or a third party extension.

Once a user has access rights to the backend it is insecure to have them use a password reset functionality. 

Yes, that was what I was trying to convey :)

For what it's worth, it's not just my opinion. It is apparently what Microsoft itself does for Microsoft Azure Entra ID Global Administrator (and other Administrator-level) accounts by default. In fact, they tell you explicitly that you need to have a break-glass account (a super privileged account you never use to log in except once, in an emergency, then remove it from the system) to prevent an account lock-out. I would assume that other major clouds do the same; for example, I know Amazon Web Services does tell you to never use the root user except in an emergency which is the same idea phrased differently. Anyway, you got the idea: self-service password reset for privileged users is A Very Bad Thing.

If we do want users with backend access to be able to use the password reset function we can disable this feature, but that means exposing the site to security risks.

Correct!

 It would be better if Joomla sends an alternative e-mail (alternative to the reset link) to users with backend rights. Explaining they can not use this function. But I have no clue on how to achieve that.

I do not think this is an easy feat. It would require either a plugin which magically patches the core Joomla! code on the fly (meaning it would break often), or you'd need some kind of convoluted system plugin which catches the password reset form and sends its own email, redirecting the user back to the home page. Both approaches have different advantages and disadvantages.

What would make far more sense is Joomla to have this feature built-in, for example a selection of user groups which forbid password reset. I am not saying that Joomla! should force backend users to be unable to reset their password because many sites have just one user, a Super User, and the interactive password reset is much more accessible for non-technical folks than going through the database or editing configuration.php (the latter is a feature that's been lurking since 1.6; I am not sure if it's removed or still there, to be honest). Unfortunately, I cannot propose any new feature to Joomla! anymore. If you'd like to do it, please do. Maybe they should involve JSST in the decision.