An Administrative Unit (AU) is an Azure AD resource that can be a container for other Azure AD resources. Administrative units allow an organization to grant admin permissions that are restricted to a department, region, or other segment of the organization. Admins can use Administrative Units to delegate permissions to regional administrators or to set policy at a granular level. For example, a User account admin could update profile information, reset passwords, and assign licenses for users only in their Administrative Unit (AU).
There are, however, a few things that you need to be aware of:
Ten things you need to know
Administrative Unites (AUs) are Generally Available
Normally, when we provide a list of things you should know about a certain technology in Azure AD, we notify you of the perils of Public Previews with Microsoft.
For Administrative Units (AUs) in Azure AD, we decided to give judgement upon General Availability (GA). This means, the feature is available in all Azure AD tenants and is fully supported by the Microsoft product team. Microsoft customer engineers (formerly known as PFEs) and Microsoft Support.
Not all roles are available for Administrative Units
You can only assign the following administrative roles to Azure AD Administrative Units (AUs):
- Authentication Administrator
Has access to view, set, and reset authentication method information for any non-admin user in the assigned Administrative Unit only.
- Groups Administrator
Can manage all aspects of groups and groups settings like naming and expiration policies in the assigned Administrative Unit only.
- Helpdesk Administrator
Can reset passwords for non-administrators and Helpdesk administrators in the assigned Administrative Unit only.
- License Administrator
Can assign, remove, and update license assignments within the Administrative Unit only.
- Password Administrator
Can reset passwords for non-administrators and Password Administrators within the assigned Administrative Unit only.
- User Administrator
Can manage all aspects of users and groups, including resetting passwords for limited admins within the assigned Administrative Unit only.
Users, role-assignable cloud groups Preview and Service Principal Names (SPNs) can be added to these roles.
Administrative Unite (AUs) can only contain users and groups
User objects and group objects can be made members of Administrative Units (AUs). However, devices cannot be made members of AUs. Scoping management of devices in Azure AD is therefore not in the picture.
User administrators for the Administrative Unit can manage the name and membership of the group itself. It does not grant the User Administrator for the Administrative Unit permissions to manage the users of the group (for example, to reset their passwords). To grant the User Administrator the ability to manage users, the users have to be direct members of the Administrative Unit.
When you add a group to the Administrative Unit, that does not result in all the group's members being added to it. Users must be directly assigned to the Administrative Unit.
Organizations using Microsoft Intune can use tags for devices as scopes for management, but organizations without Intune are left in the dark.
Administrative Units require Azure AD Premium licenses
Using Administrative Units (AUs) requires an Azure Active Directory Premium license for each Administrative Unit admin. It does not require Premium licenses for Administrative Unit members; an Azure Active Directory Free license will suffice in terms of Administrative Units (AUs) for members.
Only Global Admins and Privileged Role Admins can create AUs
Global administrators or Privileged role administrators can use the Azure AD portal to create Administrative Units (AUs), add users as members of AUs, and then assign IT staff to AU-scoped administrator roles. The Administrative Unit-scoped admins can then use the Microsoft 365 admin center for basic management of users in their AU(s).
AUs cannot be managed in the Microsoft 365 Admin Center
While you can create and delete AUs, add and remove AU members and assign AU-scoped admins through the Azure Portal, the Azure AD Portal, through the Azure AD PowerShell and through Microsoft Graph, you can’t use the Microsoft 365 Admin Center to perform these actions.
Additionally, scoped admins cannot perform unit-scoped management of user MFA credentials in the Microsoft 365 Admin Center.
There are no dynamic Administrative Units
Azure AD knows the concept of Dynamic Groups, where members are added to groups based on (combinations of) attributes of the account in Azure AD. Alas, Administrative Unites (AUs) do not know the concept of Dynamic Administrative Unit memberships (yet).
There is a big Difference between the Azure Portal and the Microsoft 365 Admin Center
Administrative units apply scope only to management permissions. They don't prevent members or administrators from using their default user permissions to browse other users, groups, or resources outside of the Administrative Unit. Admins can browse other users in the Azure AD portal, PowerShell, and other Microsoft services.
However, in the Microsoft 365 admin center, users outside of a scoped admin's Administrative Units are filtered out.
Group Assignment to AUs is clunky
You can assign groups only individually to an Administrative Unit (AU). There is no option of assigning groups in bulk to an AU. When using the Portal, PowerShell or Microsoft Graph, you’ll need to perform an add per group. The same goes for removing a group from the scope of an AU in PowerShell and the Microsoft Graph.
However, in the Portal, you can remove AU membership for multiple groups in the Azure Portal if need be.
Elevation of Privilege paths may lead to unexpected behavior
Scoped admins pose an information security risk. Therefore, paths that can lead to elevation of privilege for these accounts are blocked.
For example, to an AU-scoped administrator can't reset the password of a user who's assigned to a role with an organization-wide scope.
Enjoy Azure AD Administrative Units (AUs)!