diff --git a/src/Umbraco.Web/Editors/UsersController.cs b/src/Umbraco.Web/Editors/UsersController.cs
index 932f10f343..0588eef2c0 100644
--- a/src/Umbraco.Web/Editors/UsersController.cs
+++ b/src/Umbraco.Web/Editors/UsersController.cs
@@ -605,12 +605,13 @@ namespace Umbraco.Web.Editors
             
             display.AddSuccessNotification(Services.TextService.Localize("speechBubbles/operationSavedHeader"), Services.TextService.Localize("speechBubbles/editUserSaved"));
             return display;
-        }        
+        }
 
         /// <summary>
         /// Disables the users with the given user ids
         /// </summary>
         /// <param name="userIds"></param>
+        [AdminUsersAuthorize("userIds")]
         public HttpResponseMessage PostDisableUsers([FromUri]int[] userIds)
         {
             if (userIds.Contains(Security.GetUserId()))
@@ -641,6 +642,7 @@ namespace Umbraco.Web.Editors
         /// Enables the users with the given user ids
         /// </summary>
         /// <param name="userIds"></param>
+        [AdminUsersAuthorize("userIds")]
         public HttpResponseMessage PostEnableUsers([FromUri]int[] userIds)
         {
             var users = Services.UserService.GetUsersById(userIds).ToArray();
@@ -664,6 +666,7 @@ namespace Umbraco.Web.Editors
         /// Unlocks the users with the given user ids
         /// </summary>
         /// <param name="userIds"></param>
+        [AdminUsersAuthorize("userIds")]
         public async Task<HttpResponseMessage> PostUnlockUsers([FromUri]int[] userIds)
         {
             if (userIds.Length <= 0)
@@ -696,6 +699,7 @@ namespace Umbraco.Web.Editors
                 Services.TextService.Localize("speechBubbles/unlockUsersSuccess", new[] { userIds.Length.ToString() }));
         }
 
+        [AdminUsersAuthorize("userIds")]
         public HttpResponseMessage PostSetUserGroupsOnUsers([FromUri]string[] userGroupAliases, [FromUri]int[] userIds)
         {
             var users = Services.UserService.GetUsersById(userIds).ToArray();
@@ -721,7 +725,8 @@ namespace Umbraco.Web.Editors
         /// Limited to users that haven't logged in to avoid issues with related records constrained
         /// with a foreign key on the user Id
         /// </remarks>
-        public async Task<HttpResponseMessage> PostDeleteNonLoggedInUser(int id)
+        [AdminUsersAuthorize]
+        public HttpResponseMessage PostDeleteNonLoggedInUser(int id)
         {
             var user = Services.UserService.GetUserById(id);
             if (user == null)
diff --git a/src/Umbraco.Web/WebApi/Filters/AdminUsersAuthorizeAttribute.cs b/src/Umbraco.Web/WebApi/Filters/AdminUsersAuthorizeAttribute.cs
index 8701eaf226..e9cb1d8c6e 100644
--- a/src/Umbraco.Web/WebApi/Filters/AdminUsersAuthorizeAttribute.cs
+++ b/src/Umbraco.Web/WebApi/Filters/AdminUsersAuthorizeAttribute.cs
@@ -9,34 +9,48 @@ using Umbraco.Web.Editors;
 namespace Umbraco.Web.WebApi.Filters
 {
     /// <summary>
-    /// if the user being edited is an admin then we must ensure that the current user is also an admin
+    /// if the users being edited is an admin then we must ensure that the current user is also an admin
     /// </summary>
+    /// <remarks>
+    /// This will authorize against one or multiple ids
+    /// </remarks>
     public sealed class AdminUsersAuthorizeAttribute : AuthorizeAttribute
     {
+        private readonly string _parameterName;
+
+        public AdminUsersAuthorizeAttribute(string parameterName)
+        {
+            _parameterName = parameterName;
+        }
+
+        public AdminUsersAuthorizeAttribute() : this("id")
+        {            
+        }
+
         protected override bool IsAuthorized(HttpActionContext actionContext)
         {
-            if (actionContext.ActionArguments.TryGetValue("id", out var userId) == false)
+            int[] userIds;
+            if (actionContext.ActionArguments.TryGetValue(_parameterName, out var userId))
+            {
+                var intUserId = userId.TryConvertTo<int>();
+                if (intUserId)
+                    userIds = new[] {intUserId.Result};
+                else return base.IsAuthorized(actionContext);
+            }
+            else
             {
                 var queryString = actionContext.Request.GetQueryNameValuePairs();
-                var ids = queryString.Where(x => x.Key == "id").ToArray();
+                var ids = queryString.Where(x => x.Key == _parameterName).ToArray();
                 if (ids.Length == 0)
                     return base.IsAuthorized(actionContext);
-                userId = ids[0].Value;
+                userIds = ids.Select(x => x.Value.TryConvertTo<int>()).Where(x => x.Success).Select(x => x.Result).ToArray();
             }
 
-            if (userId == null) return base.IsAuthorized(actionContext);
-            var intUserId = userId.TryConvertTo<int>();
-            if (intUserId.Success == false)
-                return base.IsAuthorized(actionContext);
+            if (userIds.Length == 0) return base.IsAuthorized(actionContext);
 
-            var user = ApplicationContext.Current.Services.UserService.GetUserById(intUserId.Result);
-            if (user == null)
-                return base.IsAuthorized(actionContext);
-
-            //Perform authorization here to see if the current user can actually save this user with the info being requested
+            var users = ApplicationContext.Current.Services.UserService.GetUsersById(userIds);
             var authHelper = new UserEditorAuthorizationHelper(ApplicationContext.Current.Services.ContentService, ApplicationContext.Current.Services.MediaService, ApplicationContext.Current.Services.UserService, ApplicationContext.Current.Services.EntityService);
-            var canSaveUser = authHelper.IsAuthorized(UmbracoContext.Current.Security.CurrentUser, user, null, null, null);
-            return canSaveUser;
+            return users.All(user => authHelper.IsAuthorized(UmbracoContext.Current.Security.CurrentUser, user, null, null, null) != false);
         }
     }
 }