syscloud

In this article

  • An introduction to administrative units
  • Manage administrative units
  • How inheritance works for groups in administrative units
  • Administrative units and Privileged Identity Management
  • My Staff portal
  • Limitations of administrative units
  • FAQs

A Complete Guide to Azure AD Administrative Units

28 Oct 2021
|
20 min read
|
Anju George
twitterlinkedin
Blog Articles
Explore SaaS data protection center

Actionable insights, best practices and tips for IT admins to protect SaaS data.

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management (IAM) service, with over 420 million daily active users.IT admins use Azure AD to manage role permissions and control users’ access to apps and resources. This article looks at administrative units, an Azure AD resource used to limit administrative scope within Azure Active Directory.

An introduction to Azure AD administrative units

Microsoft defines an administrative unit as an Azure Active Directory (Azure AD) resource that can be a container for other Azure AD resources. Administrative units allow an organization to grant admin permissions that are restricted to a department, region, or any other segment of the organization that you define. An administrative unit can contain only users and groups.  

Note: To use Azure AD administrative units, you need to have an Azure AD Premium license in addition to your Microsoft 365 licenses.

Why do you need administrative units?

In general, Azure AD has a flat structure where all the users, groups, and other objects are placed on the same level. This means that the scope of admin privileges will be the entire tenant.  

For example, assigning a user to the “User Administrator” role in Azure AD will give them the rights to manage all the users in the organization, which might not always be required. This goes against Microsoft’s principle of least privilege, which states that users and applications should be granted the minimum level of access needed to perform required tasks.  

Azure AD administrative units solve this problem by enabling organizations to delegate administrative rights with a limited scope. You can assign users to an Azure AD role with a scope that's limited to one or more administrative units. In this way, administrative units give more granular administrative control in the Azure Active Directory. 
To understand how admin units work in Azure Active Directory, consider the example of an organization whose Sales team is scattered globally. The global admin wants someone to manage all the Sales team members in New Jersey. For this, the admin can create an administrative unit (AU) in the Azure AD, add all the Sales team members in New Jersey to this AU, and assign a user as the administrator for this AU. The assigned user will now be able to manage all the Sales team members in New Jersey.  
The below diagrams illustrate how administrative units enable organizations to delegate administrative rights with a limited scope. Note that the dashed lines in the diagrams indicate the scope of the respective admin roles. For example, the green line represents the global administrator scope. 
The above diagram shows the Azure AD structure without administrative units. Here, both the Password and Authentication admins have global scope, which means they have respective administrative rights over all the users and groups in the organization, similar to that of a global admin.  
Whereas in the below diagram which shows the Azure AD structure with administrative units, only the Global admin has control over the entire organization, while the Password and Authentication admins can only manage users and groups within their respective administrative units. For example, Authentication admin 2 can manage users and groups belonging to AU 2. 

Note: Only the following Azure AD roles can be assigned to an administrative unit: Authentication administrator, Password administrator, User administrator, Helpdesk administrator, License administrator, and Groups administrator 

Manage administrative units in Azure Active Directory

Note: You need to be a Privileged Role Administrator or Global Administrator to manage (create, remove, populate, and add roles to) administrative units. 

Licensing requirements

  • Azure AD Premium P1 or P2 license for each administrative unit administrator 
  • Azure AD Free licenses for administrative unit members 

Note: Administrative units can also be managed by using PowerShell cmdletsand scripts, or Microsoft Graph. For more information, see Prerequisites to use PowerShell or Graph Explorer.

Create an administrative unit

To create an administrative unit, follow the below steps: 
  • Step 3: Select the +Add button at the top of the pane, enter a name and description for the administrative unit, and click on the Review + create button at the bottom. This will take you to the Assign roles section

  • Step 4: You can select an administrative role from the given list and assign a user to the role. You can skip this step if you want to only create an administrative unit for now, and assign administrative roles later. 

  • Step 5: Click either Review + create or Next : Review + create button to review the properties and assignments, and click on the Create button. This will create a new administrative unit in the Azure Active Directory. 

Note: Administrative units can also be created using PowerShell or Microsoft Graph API

Add users to an administrative unit

Note: You can only manually add users to an administrative unit. Adding users to an administrative unit dynamically based on an object property is not supported.

You can assign users to an administrative unit following the below steps. 
  • Step 1: Sign in to the Azure portal or Azure AD admin center.

  • Step 2: Select Azure Active Directory -Administrative units, and then select the administrative unit to which the user needs to be added. 

  • Step 3: Select Users -> +Add member and on the Add member pane, select one or more users that you want to add to the administrative unit.

Alternatively, you can add users from their user profiles in the Azure AD admin center. The following steps are convenient if you need to add a single user to multiple administrative units.
  • Step 1: Sign in to the Azure portal or Azure AD admin center

  • Step 2: Select Azure Active Directory > Users and select the user to be assigned to an administrative unit. This will open the user’s profile. 

  • Step 3: Select Administrative units. To assign the user to one or more administrative units, select +Assign to administrative unit and on the right pane, select the administrative units to which you want to assign the user. 

To assign users as a bulk operation:
  • Step 1: Sign in to the Azure portal or Azure AD admin center. Select Azure Active Directory -> Administrative units

  • Step 2: Select the administrative unit to which you want to add users. 

  • Step 3: Select Users -> Bulk activities -> Bulk add members. Upload the CSV file containing all the users.  

Note: PowerShell or Microsoft Graph API can also be used to add users to administrative units.

Add groups to an administrative unit

Note: Dynamic groups cannot be added to an administrative unit. 

You can only assign groups individually to administrative units. There is no option to assign groups as a bulk operation. 
To assign groups to an administrative unit, follow the below steps. 
  • Step 1: Sign in to the Azure portal or Azure AD admin center

  • Step 2: Select Azure Active Directory -> Administrative units. Click on the administrative unit to which you want to add groups.. 

  • Step 3: Navigate to Groups -> +Add. The right pane lists all the available groups in your organization. Select the groups you want to add to the administrative unit.

Alternatively, you can add a group to an administrative unit from the Groups pane in Azure AD admin center. The following steps are convenient if you need to add a single group to multiple administrative units.
  • Step 1: Sign in to the Azure portal or Azure AD admin center

  • Step 2: Select Azure Active Directory -> Groups. Open the group that you need to add and navigate to Administrative units-> +Assign to administrative unit. This will display a list of administrative units in your organization. 

  • Step 3: Select the administrative units to which you want to assign the group. This will add the group to the selected administrative units. 

You can also assign groups to administrative units using PowerShell or Microsoft Graph API

Note: When you add a group to an administrative unit (AU), only the group is added and not the members of the group. This means that the AU admin can manage the properties of the group alone, not that of the members of the group. Learn more

Assign admin roles for an administrative unit

Users can be assigned to an Azure AD role with a scope that's limited to an administrative unit. This helps in granular administrative control.

View the roles that are available to be assigned with administrative unit scope. Each role is independent from the global roles (roles with global scope) in Azure AD. Therefore, by using scoped roles, you can easily delegate administrative privileges to users who should only administer a specific administrative unit. 

To assign a scoped role to a user, follow the below steps: 
  • Step 1: Sign in to the Azure portal or Azure AD admin center

  • Step 2: Navigate to Azure Active Directory -> Administrative units, and then select the administrative unit to which you want to assign a user role scope. On the left pane, select Roles and administrators to view a list of all the available roles. Select the role that you need to assign to a user, for example, User administrator role.

  • Step 3: Click on the +Add assignments button. On the Add assignments pane, select the user(s) to be assigned to the role. 

Note: To assign admin roles at an administrative unit level, your organization needs Azure AD Premium P1 or P2 license. If not, the "+Add assignments" button will be greyed out as shown in the above screenshot.

You can also assign scoped roles to users using PowerShell or Microsoft Graph API

Learn how to view a list of the administrators assigned to an administrative unit. 

How inheritance works for groups in administrative units

Once a group is added to an administrative unit, group properties, members, and licensing settings can be updated by the assigned admins.  However, the users in that group are not included in the scope of management. In other words, when you add a group to an administrative unit, the users belonging to that group will not come under the administrative unit’s control. This means that the admins assigned to the administrative unit will only be able to manage the group object, not the user objects within the group. Only users that are directly added to the administrative unit can be managed by the assigned admins.  
For example, consider the administrative unit (AU) New Jersey, which contains two users, David Rose and Sheldon Cooper. 
New Jersey AU also contains a group named Test, which has two members, Jack Prichett and Phil. 
A User administrator (Chris Green) has been assigned to the New Jersey AU.
Chris, being the User administrator of New Jersey AU, can reset the password for both Sheldon and David. Whereas, when Chris tries to reset the password for either Jack or Phil, an error message is displayed. 
This is because Jack and Phil are not members of the New Jersey AU, rather, they are members of the Test group which is a member of the New Jersey AU. Chris can therefore update the settings of the Test group, not that of the users within the group. 
Lack of dynamic membership and group inheritance may appear to be significant limitations at first, but there are good reasons for these restrictions, as mentioned below: 
  • If dynamic membership were allowed, it would be possible for anyone who can modify the user attribute to change administrative unit membership. For example, if an attribute such as "department" were considered to manage administrative unit membership, a User administrator could modify certain users’ departments, and thereby change the administrative unit membership.  
  • If group inheritance were allowed, someone who had the ability to change group membership could also modify the administrative unit membership. For example, a Groups administrator or Groups owner could add more users to a group, and thereby change the administrative unit membership. 
In both these scenarios, users other than the Global administrator and Privileged role administrator could modify the administrative unit membership, and this would compromise the integrity of the administrative unit. 

Click here to view the current support provided by Microsoft for various administrative unit scenarios, via the Azure portal, Microsoft 365 admin center, and Graph/PowerShell.

Administrative units and Privileged Identity Management

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization, including administrative units. It provides time-based and approval-based role activation.  With PIM, organizations can give users just-in-time privileged access to Azure AD resources and can oversee what those users are doing with their privileged access. 

Key features of Privileged Identity Management 

  • Provide just-in-time privileged access to Azure AD and Azure resources 
  • Assign time-bound access to resources using start and end dates 
  • Require approval to activate privileged roles 
  • Enforce multi-factor authentication to activate any role 
  • Use justification to understand why users activate 
  • Get notifications when privileged roles are activated 
  • Conduct access reviews to ensure users still need roles 
  • Download audit history for internal or external audit 
Refer to the following Microsoft documentations for a detailed understanding of Privileged Identity Management: 
Azure AD administrative units are integrated with Privileged Identity Management. This reinforces the principle of least privilege with just-in-time administrative access to an administrative unit.  

Note: Using Privileged Identity Management requires an Azure AD Premium P2 license. For details, see  License requirements to use Privileged Identity Management

Assign scoped roles in Privileged Identity Management

With the Azure Active Directory Privileged Identity Management (PIM) service, Privileged role admins or Global admins can make permanent or time-bound admin role assignments. They can also assign users as active or eligible administrators. (Refer to the steps below) 
Since Azure AD administrative units are integrated with Privileged Identity Management, you can define whether you want the role assignment to be active/eligible and permanent/time-bound when you assign an AU-scoped role to a user.   To assign an administrative unit scoped role using PIM service, follow the below steps: 

Note: You need to be a Privileged role admin or Global admin for this. 

  • Step 1: Open the administrative unit for which you need to assign an admin. Navigate to Roles and  administrators, and select the role you need to assign. 

  • Step 2: Click on +Add assignments. This will take you to the Add assignments page. Select the member to be assigned to the role, and click Next.

  • Step 3:  In the Assignment type list on the Setting pane, select the required assignment type. 

Eligible assignments require the member of the role to perform an action (after the role has been assigned to them) to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers. 

Active assignments don't require the member to perform any action to use the role. Members assigned as active will have the privileges associated with the role immediately after the assignment has been made. 

  • Step 4: Specify the assignment duration and click Assign to create the new role assignment. 

Permanent assignments : Have no expiration date. Use this option for permanent workers who frequently need the role permissions. 

Time-bound assignments:  Expires at the end of a specified period. Use this option with temporary or contract workers who require the role only for a specified duration. 

Administrative units and My Staff portal

My Staff portal (mystaff.microsoft.com) is based on administrative units, and it allows delegated administrators to perform a limited set of account maintenance actions, including password reset, without signing into the Azure AD portal. Using this portal, an AU administrator can manage the members of the specific administrative unit (AU).  

The following are the tasks that administrators can perform via My Staff portal, for the users in their scope: 
  • Add and update phone numbers 
  • Reset passwords 
  • Enable phone sign-in 
For example, a local team manager can reset passwords or edit phone numbers of their team members, so that the users who can't access their accounts can regain access in just a couple of clicks, with no helpdesk or IT staff involvement.

How to enable My Staff in Azure Active Directory

The My Staff feature has to be enabled in the Azure Active Directory so that team managers can access the portal to manage common tasks for their team members. To enable My Staff, follow the below steps: 
  • Step 1: Sign in to the Azure portal or Azure AD admin center as a User administrator or Global administrator. 

  • Step 2: Select Azure Active Directory -> User settings -> Manage user feature settings

  • Step 3: Enable the feature for all users or a group of users, and click Save.

Note: Only users who've been assigned an admin role can access the My Staff portal . If you enable My Staff  for a user who is not assigned an admin role, they won't be able to access the portal. 

How My Staff works

When a delegated administrator goes to the My Staff portal, they are shown the names of the administrative units over which they have administrative permissions. If an administrator's permissions do not have an administrative unit scope, the permissions apply across the organization. After My Staff has been enabled for your organization, the users who are enabled and have been assigned an administrative role can access it at https://mystaff.microsoft.com. They can select an administrative unit to view the users in that unit, and select a user to open their profile. 

For example, Chris Green has been assigned as the User administrator for the administrative unit “New Jersey.” 

Chris can now use the My Staff portal to manage all the members in the New Jersey administrative unit.  

How to reset a user password 

A delegated admin can reset the password of a user in their administrative unit by following the below steps:
  • Step 1: Sign in to the My Staff portal. All the administrative units in the respective admin’s scope will be displayed. 

  • Step 2: Select the administrative unit that contains the team member whose password has to be reset. This will display all the members in the selected administrative unit. (Refer to the screenshots in the above section) 

  • Step 3: Open the member’s profile. Click on Reset password -> Continue to reset the password. 

Note: The “Add phone number” option is greyed out in the above screenshot since the selected admin (Chris Green, in this case) has only User admin permissions assigned. A user admin can only reset the password, not add or edit phone numbers. To manage the phone numbers of users in an administrative unit, one needs to be assigned as an Authentication admin for that administrative unit. Learn how to manage users’ phone numbers from the My Staff portal. 

You can search for administrative units and users in your organization using the search bar in My Staff. You can search across all administrative units and users in your organization, but you can only make changes to the users who are in the administrative unit over which you have been given admin permissions. 
You can view audit logs for actions taken in My Staff in the Azure Active Directory portal. If an audit log was generated by an action taken in My Staff, you will see this indicated under "Additional Details” in the audit event. 

Read the My Staff user documentation provided by Microsoft to learn more on how a team manager can use the My Staff portal. In the documentation, the term “locations” is used to refer to administrative units.  

Limitations of administrative units

  • An administrative unit can contain only users and groups. Devices cannot be added to administrative units. Therefore, scoping management of devices is not possible. 
  • Not all Azure AD administrative roles are available for administrative units. You can only assign one of the following six roles to an administrative unit: Authentication administrator, Password administrator, User administrator, Helpdesk administrator, License administrator, Groups administrator 
  • Administrative units require Azure AD premium licenses
  • AU-scoped administrators cannot manage their users’ MFA settings in the Microsoft 365 Admin Center. (See currently supported scenarios

  • Administrative units apply scope only to management permissions. They don't prevent members or administrators from using their default user permissions to browse other users, groups, or resources outside the administrative unit. Admins can browse other users in the Azure AD portal, PowerShell, and other Microsoft services. However, in the Microsoft 365 admin center, users outside a scoped admin's administrative units are filtered out. 
  • You can only assign groups individually to an administrative unit. There is no option to assign groups as a bulk operation. 

Frequently asked questions on Azure AD administrative units

1. I am a delegated Password/User administrator for an administrative unit. Why am I unable to reset a specific user's password?

(a) An AU-scoped admin can only manage users who belong to that administrative unit. Make sure that the user belongs to the administrative unit to which you've been assigned. 

(b) If the user belongs to your administrative unit but you still can't reset the user's password, check whether the user has been assigned any roles. To prevent elevation of privileges, an AU-scoped administrator cannot reset the password of a user who has been assigned to a role with an organization-wide scope.

2. Can a user or a group belong to more than one administrative unit? 

Yes, a user or a group can belong to multiple administrative units. This is one of the major differences between Azure AD administrative units and Google organizational units

3. I added a group to an administrative unit. Why are the group members not showing up in the administrative unit?

When you add a group to an administrative unit, that does not result in all the group members being added to it. Users must be directly assigned to the administrative unit.  Learn more

4. Can administrative units be nested? 

No, administrative units cannot be nested. You cannot have one administrative unit inside another administrative unit. 

5. How are administrative units different from groups in Azure Active Directory?  

Azure AD administrative units are used to restrict the scope of administrative role assignments whereas Azure AD groups are used to manage users’ access to apps and resources. Using groups lets the resource owner (or Azure AD directory owner) assign a set of access permissions to all the members of the group, instead of having to provide the rights one-by-one. Read Manage app and resource access using Azure Active Directory groups to learn more. 

Groups 

  • Used to manage users’ access to apps and resources 
  • Members of the group inherit the permissions assigned to the group
  • Assigning an admin role to a group will result in all the group members having that admin role. Learn more 

Administrative units 

  • Used to restrict the scope of administrative role assignments in the Azure Active Directory
  • Adding members to an administrative unit (AU) does not change their permissions by default. Rather, it gives permission to the AU–scoped admin to manage the members of the AU. 
  • A user who is assigned as the administrator for an administrative unit will be able to manage all the members of the administrative unit. 

In this article

  • An introduction to administrative units
  • Manage administrative units
  • How inheritance works for groups in administrative units
  • Administrative units and Privileged Identity Management
  • My Staff portal
  • Limitations of administrative units
  • FAQs
twitterlinkedin
svg

Protect Your Cloud Data, Now!

Restoring lost data is just a matter of a few clicks