How inheritance works for groups in administrative units

Administrative units and Privileged Identity Management

Restoring lost data is just a matter of a few clicks

Try SysCloud out with a FREE trial and discover how much faster, easier, and more flexible backups could be - for everyone in your organization. 

Start enjoying faster and easier backups, today

Protect Your Cloud Data, Now!

Azure AD Administrative Units (AUs) allow organizations to delegate admin roles with limited scope, reducing the need for global admin access and supporting the principle of least privilege. However, AUs have limitations: 

AUs can only contain users and groups, not devices. They require Azure AD Premium licenses, and not all administrative roles are available for AUs.

AU-scoped admins cannot manage MFA settings or prevent users from viewing resources outside the AU.

SysCloud provides a comprehensive backup solution for Azure AD, ensuring secure, automated protection of user and group data, while complementing the limited management capabilities of Azure AD administrative units. This helps organizations maintain data security and streamline administrative tasks across different segments of the organization.

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management (IAM) service, with over 420 million daily active users.IT admins use Azure AD to manage role permissions and control users’ access to apps and resources. This article looks at administrative units, an Azure AD resource used to limit administrative scope within Azure Active Directory.

Microsoft defines an administrative unit as an Azure Active Directory (Azure AD) resource that can be a container for other Azure AD resources. Administrative units allow an organization to grant admin permissions that are restricted to a department, region, or any other segment of the organization that you define. An administrative unit can contain only users and groups.  

Note: To use Azure AD administrative units, you need to have an Azure AD Premium license in addition to your Microsoft 365 licenses.

In general, Azure AD has a flat structure where all the users, groups, and other objects are placed on the same level. This means that the scope of admin privileges will be the entire tenant.  

For example, assigning a user to the “User Administrator” role in Azure AD will give them the rights to manage all the users in the organization, which might not always be required. This goes against Microsoft’s principle of least privilege, which states that users and applications should be granted the minimum level of access needed to perform required tasks.  

Azure AD administrative units solve this problem by enabling organizations to delegate administrative rights with a limited scope. You can assign users to an Azure AD role with a scope that's limited to one or more administrative units. In this way, administrative units give more granular administrative control in the Azure Active Directory. 

To understand how admin units work in Azure Active Directory, consider the example of an organization whose Sales team is scattered globally. The global admin wants someone to manage all the Sales team members in New Jersey. For this, the admin can create an administrative unit (AU) in the Azure AD, add all the Sales team members in New Jersey to this AU, and assign a user as the administrator for this AU. The assigned user will now be able to manage all the Sales team members in New Jersey.  

The below diagrams illustrate how administrative units enable organizations to delegate administrative rights with a limited scope. Note that the dashed lines in the diagrams indicate the scope of the respective admin roles. For example, the green line represents the global administrator scope. 

The above diagram shows the Azure AD structure without administrative units. Here, both the Password and Authentication admins have global scope, which means they have respective administrative rights over all the users and groups in the organization, similar to that of a global admin.  

Whereas in the below diagram which shows the Azure AD structure with administrative units, only the Global admin has control over the entire organization, while the Password and Authentication admins can only manage users and groups within their respective administrative units. For example, Authentication admin 2 can manage users and groups belonging to AU 2. 

Note: Only the following Azure AD roles can be assigned to an administrative unit: Authentication administrator, Password administrator, User administrator, Helpdesk administrator, License administrator, and Groups administrator 

Note: You need to be a Privileged Role Administrator or Global Administrator to manage (create, remove, populate, and add roles to) administrative units. 

Azure AD Premium P1 or P2 license for each administrative unit administrator 

Azure AD Free licenses for administrative unit members 

Note: Administrative units can also be managed by using PowerShell cmdletsand scripts, or Microsoft Graph. For more information, see Prerequisites to use PowerShell or Graph Explorer.

To create an administrative unit, follow the below steps: 

Step 1: Sign in to the Azure AD admin center. (You can also sign into the Azure portal, go to Azure Active Directory, and follow the same steps mentioned below) 

Step 2: Navigate to Azure Active Directory -> Administrative units. 

Step 3: Select the +Add button at the top of the pane, enter a name and description for the administrative unit, and click on the Review + create button at the bottom. This will take you to the Assign roles section

Step 4: You can select an administrative role from the given list and assign a user to the role. You can skip this step if you want to only create an administrative unit for now, and assign administrative roles later. 

Step 5: Click either Review + create or Next : Review + create button to review the properties and assignments, and click on the Create button. This will create a new administrative unit in the Azure Active Directory. 

Note: Administrative units can also be created using PowerShell or Microsoft Graph API. 

Note: You can only manually add users to an administrative unit. Adding users to an administrative unit dynamically based on an object property is not supported.

You can assign users to an administrative unit following the below steps. 

Step 1: Sign in to the Azure portal or Azure AD admin center.

Step 2: Select Azure Active Directory -> Administrative units, and then select the administrative unit to which the user needs to be added. 

Step 3: Select Users -> +Add member and on the Add member pane, select one or more users that you want to add to the administrative unit.

Alternatively, you can add users from their user profiles in the Azure AD admin center. The following steps are convenient if you need to add a single user to multiple administrative units.

Step 1: Sign in to the Azure portal or Azure AD admin center. 

Step 2: Select Azure Active Directory > Users and select the user to be assigned to an administrative unit. This will open the user’s profile. 

Step 3: Select Administrative units. To assign the user to one or more administrative units, select +Assign to administrative unit and on the right pane, select the administrative units to which you want to assign the user. 

Step 1: Sign in to the Azure portal or Azure AD admin center. Select Azure Active Directory -> Administrative units. 

Step 2: Select the administrative unit to which you want to add users. 

Step 3: Select Users -> Bulk activities -> Bulk add members. Upload the CSV file containing all the users.  

Note: PowerShell or Microsoft Graph API can also be used to add users to administrative units.

Learn how to view a list of administrative units for a user

Learn how to remove users from an administrative unit. 

Note: Dynamic groups cannot be added to an administrative unit. 

You can only assign groups individually to administrative units. There is no option to assign groups as a bulk operation. 

To assign groups to an administrative unit, follow the below steps. 

Step 2: Select Azure Active Directory -> Administrative units. Click on the administrative unit to which you want to add groups.. 

Step 3: Navigate to Groups -> +Add. The right pane lists all the available groups in your organization. Select the groups you want to add to the administrative unit.

Alternatively, you can add a group to an administrative unit from the Groups pane in Azure AD admin center. The following steps are convenient if you need to add a single group to multiple administrative units.

Step 1: Sign in to the Azure portal or Azure AD admin center. 

Step 2: Select Azure Active Directory -> Groups. Open the group that you need to add and navigate to Administrative units-> +Assign to administrative unit. This will display a list of administrative units in your organization. 

Step 3: Select the administrative units to which you want to assign the group. This will add the group to the selected administrative units. 

You can also assign groups to administrative units using PowerShell or Microsoft Graph API. 

<strong>Note:</strong> When you add a group to an administrative unit (AU), only the group is added and not the members of the group. This means that the AU admin can manage the properties of the group alone, not that of the members of the group. 
<a href="/azure-administrative-units#groups-inheritance" rel="nofollow">Learn more</>


Users can be assigned to an Azure AD role with a scope that's limited to an administrative unit. This helps in granular administrative control.

View the roles that are available to be assigned with administrative unit scope. Each role is independent from the global roles (roles with global scope) in Azure AD. Therefore, by using scoped roles, you can easily delegate administrative privileges to users who should only administer a specific administrative unit. 

To assign a scoped role to a user, follow the below steps: 

Step 2: Navigate to Azure Active Directory -> Administrative units, and then select the administrative unit to which you want to assign a user role scope. On the left pane, select Roles and administrators to view a list of all the available roles. Select the role that you need to assign to a user, for example, User administrator role.

Step 3: Click on the +Add assignments button. On the Add assignments pane, select the user(s) to be assigned to the role. 

Note: To assign admin roles at an administrative unit level, your organization needs Azure AD Premium P1 or P2 license. If not, the "+Add assignments" button will be greyed out as shown in the above screenshot.

You can also assign scoped roles to users using PowerShell or Microsoft Graph API. 

Learn how to view a list of the administrators assigned to an administrative unit. 

Once a group is added to an administrative unit, group properties, members, and licensing settings can be updated by the assigned admins.  However, the users in that group are not included in the scope of management. In other words, when you add a group to an administrative unit, the users belonging to that group will not come under the administrative unit’s control. This means that the admins assigned to the administrative unit will only be able to manage the group object, not the user objects within the group. Only users that are directly added to the administrative unit can be managed by the assigned admins.  

For example, consider the administrative unit (AU) New Jersey, which contains two users, David Rose and Sheldon Cooper. 

New Jersey AU also contains a group named Test, which has two members, Jack Prichett and Phil. 

A User administrator (Chris Green) has been assigned to the New Jersey AU.

Chris, being the User administrator of New Jersey AU, can reset the password for both Sheldon and David. Whereas, when Chris tries to reset the password for either Jack or Phil, an error message is displayed. 

This is because Jack and Phil are not members of the New Jersey AU, rather, they are members of the Test group which is a member of the New Jersey AU. Chris can therefore update the settings of the Test group, not that of the users within the group. 

Lack of dynamic membership and group inheritance may appear to be significant limitations at first, but there are good reasons for these restrictions, as mentioned below: 

If dynamic membership were allowed, it would be possible for anyone who can modify the user attribute to change administrative unit membership. For example, if an attribute such as "department" were considered to manage administrative unit membership, a User administrator could modify certain users’ departments, and thereby change the administrative unit membership.  

If group inheritance were allowed, someone who had the ability to change group membership could also modify the administrative unit membership. For example, a Groups administrator or Groups owner could add more users to a group, and thereby change the administrative unit membership. 

In both these scenarios, users other than the Global administrator and Privileged role administrator could modify the administrative unit membership, and this would compromise the integrity of the administrative unit. 

Click here to view the current support provided by Microsoft for various administrative unit scenarios, via the Azure portal, Microsoft 365 admin center, and Graph/PowerShell.

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization, including administrative units. It provides time-based and approval-based role activation.  With PIM, organizations can give users just-in-time privileged access to Azure AD resources and can oversee what those users are doing with their privileged access. 

Provide just-in-time privileged access to Azure AD and Azure resources 

Assign time-bound access to resources using start and end dates 

Require approval to activate privileged roles 

Enforce multi-factor authentication to activate any role 

Use justification to understand why users activate 

Get notifications when privileged roles are activated 

Conduct access reviews to ensure users still need roles 

Download audit history for internal or external audit 

Refer to the following Microsoft documentations for a detailed understanding of Privileged Identity Management: 

What is Privileged Identity Management?  

Plan a Privileged Identity Management deployment

Azure AD administrative units are integrated with Privileged Identity Management. This reinforces the principle of least privilege with just-in-time administrative access to an administrative unit.  

Note: Using Privileged Identity Management requires an Azure AD Premium P2 license. For details, see  License requirements to use Privileged Identity Management. 

With the Azure Active Directory Privileged Identity Management (PIM) service, Privileged role admins or Global admins can make permanent or time-bound admin role assignments. They can also assign users as active or eligible administrators. (Refer to the steps below) 

Since Azure AD administrative units are integrated with Privileged Identity Management, you can define whether you want the role assignment to be active/eligible and permanent/time-bound when you assign an AU-scoped role to a user.   To assign an administrative unit scoped role using PIM service, follow the below steps: 

Note: You need to be a Privileged role admin or Global admin for this. 

Step 1: Open the administrative unit for which you need to assign an admin. Navigate to Roles and  administrators, and select the role you need to assign. 

Step 2: Click on +Add assignments. This will take you to the Add assignments page. Select the member to be assigned to the role, and click Next.

Step 3:  In the Assignment type list on the Setting pane, select the required assignment type. 

Eligible assignments require the member of the role to perform an action (after the role has been assigned to them) to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers. 

Active assignments don't require the member to perform any action to use the role. Members assigned as active will have the privileges associated with the role immediately after the assignment has been made. 

Step 4: Specify the assignment duration and click Assign to create the new role assignment. 

Permanent assignments : Have no expiration date. Use this option for permanent workers who frequently need the role permissions. 

Time-bound assignments:  Expires at the end of a specified period. Use this option with temporary or contract workers who require the role only for a specified duration. 

My Staff portal (mystaff.microsoft.com) is based on administrative units, and it allows delegated administrators to perform a limited set of account maintenance actions, including password reset, without signing into the Azure AD portal. Using this portal, an AU administrator can manage the members of the specific administrative unit (AU).  

The following are the tasks that administrators can perform via My Staff portal, for the users in their scope: 

For example, a local team manager can reset passwords or edit phone numbers of their team members, so that the users who can't access their accounts can regain access in just a couple of clicks, with no helpdesk or IT staff involvement.

The My Staff feature has to be enabled in the Azure Active Directory so that team managers can access the portal to manage common tasks for their team members. To enable My Staff, follow the below steps: 

Step 1: Sign in to the Azure portal or Azure AD admin center as a User administrator or Global administrator. 

Step 2: Select Azure Active Directory -> User settings -> Manage user feature settings. 

Step 3: Enable the feature for all users or a group of users, and click Save.

Actionable insights, best practices and tips for IT admins to protect SaaS data.

Explore SaaS 
data protection center

Get expert insights on SaaS data and security

A Complete Guide to Azure AD Administrative Units

I acknowledge cookies need to be deleted from my browser to remove tracking.

Ensure complete tracking removal by deleting cookies from your browser. Click here to learn how.

These cookies are set through our site by a range of third-party social media services that we have added to the site to enable you to share our content with your friends and networks. These cookies are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies, you may not be able to use or see the social media sharing tools.

These cookies are necessary for the website to function and allow us to count visits and traffic sources so we can measure and improve the performance of our site. The cookies may be set by us or third-party providers in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. All information these cookies collect is aggregated and therefore anonymous.

This website uses cookies. We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.Learn more about how we process personal data in our  Privacy Policy.

These cookies are set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They are based on uniquely identifying your browser and internet device. If you disable these cookies, you will experience fewer or no targeted advertising. You may still see advertisements.

A Complete Guide to Google Drive Backup

Gmail Backup: How to Backup Gmail Emails for Business (Step-By-Step Guide)

What Is Google Vault? How Is It Different from Backup?

12 Reasons Why You Need Google Workspace Backup

How to Back Up Outlook Emails: A Step-by-Step Guide

An Admin’s Guide to SharePoint Online Backup

10 Critical Reasons to Backup Microsoft 365 Data Immediately!

How to Backup OneDrive for Business: A Complete Guide for Admins

How to Backup Outlook Emails: A Complete Guide (with screenshots)

Microsoft Teams Recovery Wizard

Gmail Recovery Wizard

Google Classroom Recovery Wizard

Google Sites Recovery Wizard

OneDrive Recovery Wizard

SharePoint Recovery Wizard

How to Prevent Cyberbullying in Schools: Strategies, Tips, & Best Practices

Mental Health in Schools – The Ultimate Guide for School Administrators

How to Recover Deleted Emails from Gmail for Business

How to Recover Permanently Deleted Files from Google Drive for Business

How to Recover Deleted Gmail Account – A Complete Guide

How to Recover Permanently Deleted Files from OneDrive for Business

How to Recover Deleted SharePoint Files in Microsoft Office 365?

How to Recover Deleted Outlook Emails in Microsoft 365?

SaaS Backup Buying Guide

How to Transfer Your Google Drive Files to Another Account

Shared Drive for the Confused – Google Drive vs. Shared (Team) Drives

A Complete Guide to Google Organizational Units

How to Use Google Takeout for Business: A Complete Guide

How to Delete a Google and Gmail Account

How to Import MBOX into Gmail: A Step-By-Step Guide

Demystifying Google Drive Document Sharing

Google Vault: The Ultimate Guide for IT Administrators (Updated)

Google G Suite Primary Domain Change Migration Guide

Admin's Guide to Using OneDrive Shared Folder and Files

Why do IT Admins Prefer SysCloud for SaaS Backup?

FERPA Compliance: A Complete Guide for Educational Institutions

Ransomware Recovery Guide: How to Recover from a Ransomware Attack

Gmail Security Settings: Strengthen Gmail Security against Phishing and Ransomware

5 Microsoft 365 Admin Center Outlook Settings to Stop Phishing Attacks

Insider Threats : A Guide to Your Cloud Apps Security

The State of G Suite Third-Party App Security – 2018 Report

14 Types of Phishing Attacks That IT Administrators Should Watch For

16 Top Brands That Scammers Target for Brand Impersonation Attack

How to Prevent a Phishing Attack? 17 Easy Hacks for Administrators

Google Drive Security : 3 Ways to Guarantee Safety

How Compliance to PCI Can Be Achieved in Google G Suite

SOX Compliance in Google Apps

Top 3 Critical Security Mistakes When Configuring a Google Apps Domain

Delegate granular administrative rights to users effortlessly using Azure AD administrative units. Learn how to create and manage AUs, and the limitations associated.

An in-depth guide to delegating granular administrative rights to users effortlessly using Azure AD administrative units. Learn how to create and manage AUs, and the limitations associated.

A Complete Guide to Azure AD Administrative Units

An introduction to Azure AD administrative units

Why do you need administrative units?

Manage administrative units in Azure Active Directory

Licensing requirements

Create an administrative unit

Add users to an administrative unit

Add groups to an administrative unit

Assign admin roles for an administrative unit

How inheritance works for groups in administrative units

Administrative units and Privileged Identity Management

Key features of Privileged Identity Management

Assign scoped roles in Privileged Identity Management

Administrative units and My Staff portal

How to enable My Staff in Azure Active Directory

How My Staff works

How to reset a user password

Limitations of administrative units

Frequently asked questions on Azure AD administrative units