Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management (IAM) service, with over 420 million daily active users.IT admins use Azure AD to manage role permissions and control users’ access to apps and resources. This article looks at administrative units, an Azure AD resource used to limit administrative scope within Azure Active Directory.
Microsoft defines an administrative unit as an Azure Active Directory (Azure AD) resource that can be a container for other Azure AD resources. Administrative units allow an organization to grant admin permissions that are restricted to a department, region, or any other segment of the organization that you define. An administrative unit can contain only users and groups.
For example, assigning a user to the “User Administrator” role in Azure AD will give them the rights to manage all the users in the organization, which might not always be required. This goes against Microsoft’s principle of least privilege, which states that users and applications should be granted the minimum level of access needed to perform required tasks.
Note: Only the following Azure AD roles can be assigned to an administrative unit: Authentication administrator, Password administrator, User administrator, Helpdesk administrator, License administrator, and Groups administrator
Note: You need to be a Privileged Role Administrator or Global Administrator to manage (create, remove, populate, and add roles to) administrative units.
Step 2: Navigate to Azure Active Directory -> Administrative units.
Step 3: Select the +Add button at the top of the pane, enter a name and description for the administrative unit, and click on the Review + create button at the bottom. This will take you to the Assign roles section
Step 4: You can select an administrative role from the given list and assign a user to the role. You can skip this step if you want to only create an administrative unit for now, and assign administrative roles later.
Step 5: Click either Review + create or Next : Review + create button to review the properties and assignments, and click on the Create button. This will create a new administrative unit in the Azure Active Directory.
Note: You can only manually add users to an administrative unit. Adding users to an administrative unit dynamically based on an object property is not supported.
Step 2: Select Azure Active Directory -> Administrative units, and then select the administrative unit to which the user needs to be added.
Step 3: Select Users -> +Add member and on the Add member pane, select one or more users that you want to add to the administrative unit.
Step 2: Select Azure Active Directory > Users and select the user to be assigned to an administrative unit. This will open the user’s profile.
Step 3: Select Administrative units. To assign the user to one or more administrative units, select +Assign to administrative unit and on the right pane, select the administrative units to which you want to assign the user.
Step 2: Select the administrative unit to which you want to add users.
Step 3: Select Users -> Bulk activities -> Bulk add members. Upload the CSV file containing all the users.
Note: Dynamic groups cannot be added to an administrative unit.
Step 2: Select Azure Active Directory -> Administrative units. Click on the administrative unit to which you want to add groups..
Step 3: Navigate to Groups -> +Add. The right pane lists all the available groups in your organization. Select the groups you want to add to the administrative unit.
Step 2: Select Azure Active Directory -> Groups. Open the group that you need to add and navigate to Administrative units-> +Assign to administrative unit. This will display a list of administrative units in your organization.
Step 3: Select the administrative units to which you want to assign the group. This will add the group to the selected administrative units.
View the roles that are available to be assigned with administrative unit scope. Each role is independent from the global roles (roles with global scope) in Azure AD. Therefore, by using scoped roles, you can easily delegate administrative privileges to users who should only administer a specific administrative unit.
Step 2: Navigate to Azure Active Directory -> Administrative units, and then select the administrative unit to which you want to assign a user role scope. On the left pane, select Roles and administrators to view a list of all the available roles. Select the role that you need to assign to a user, for example, User administrator role.
Step 3: Click on the +Add assignments button. On the Add assignments pane, select the user(s) to be assigned to the role.
Note: To assign admin roles at an administrative unit level, your organization needs Azure AD Premium P1 or P2 license. If not, the "+Add assignments" button will be greyed out as shown in the above screenshot.
Click here to view the current support provided by Microsoft for various administrative unit scenarios, via the Azure portal, Microsoft 365 admin center, and Graph/PowerShell.
Note: You need to be a Privileged role admin or Global admin for this.
Step 1: Open the administrative unit for which you need to assign an admin. Navigate to Roles and administrators, and select the role you need to assign.
Step 2: Click on +Add assignments. This will take you to the Add assignments page. Select the member to be assigned to the role, and click Next.
Step 3: In the Assignment type list on the Setting pane, select the required assignment type.
Eligible assignments require the member of the role to perform an action (after the role has been assigned to them) to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
Active assignments don't require the member to perform any action to use the role. Members assigned as active will have the privileges associated with the role immediately after the assignment has been made.
Step 4: Specify the assignment duration and click Assign to create the new role assignment.
Permanent assignments : Have no expiration date. Use this option for permanent workers who frequently need the role permissions.
Time-bound assignments: Expires at the end of a specified period. Use this option with temporary or contract workers who require the role only for a specified duration.
My Staff portal (mystaff.microsoft.com) is based on administrative units, and it allows delegated administrators to perform a limited set of account maintenance actions, including password reset, without signing into the Azure AD portal. Using this portal, an AU administrator can manage the members of the specific administrative unit (AU).
Step 2: Select Azure Active Directory -> User settings -> Manage user feature settings.
Step 3: Enable the feature for all users or a group of users, and click Save.
Note: Only users who've been assigned an admin role can access the My Staff portal . If you enable My Staff for a user who is not assigned an admin role, they won't be able to access the portal.
When a delegated administrator goes to the My Staff portal, they are shown the names of the administrative units over which they have administrative permissions. If an administrator's permissions do not have an administrative unit scope, the permissions apply across the organization. After My Staff has been enabled for your organization, the users who are enabled and have been assigned an administrative role can access it at https://mystaff.microsoft.com. They can select an administrative unit to view the users in that unit, and select a user to open their profile.
Chris can now use the My Staff portal to manage all the members in the New Jersey administrative unit.
Step 2: Select the administrative unit that contains the team member whose password has to be reset. This will display all the members in the selected administrative unit. (Refer to the screenshots in the above section)
Step 3: Open the member’s profile. Click on Reset password -> Continue to reset the password.
Note: The “Add phone number” option is greyed out in the above screenshot since the selected admin (Chris Green, in this case) has only User admin permissions assigned. A user admin can only reset the password, not add or edit phone numbers. To manage the phone numbers of users in an administrative unit, one needs to be assigned as an Authentication admin for that administrative unit. Learn how to manage users’ phone numbers from the My Staff portal.
Read the My Staff user documentation provided by Microsoft to learn more on how a team manager can use the My Staff portal. In the documentation, the term “locations” is used to refer to administrative units.
1. I am a delegated Password/User administrator for an administrative unit. Why am I unable to reset a specific user's password?
(a) An AU-scoped admin can only manage users who belong to that administrative unit. Make sure that the user belongs to the administrative unit to which you've been assigned.
2. Can a user or a group belong to more than one administrative unit?
Yes, a user or a group can belong to multiple administrative units. This is one of the major differences between Azure AD administrative units and Google organizational units.
3. I added a group to an administrative unit. Why are the group members not showing up in the administrative unit?
4. Can administrative units be nested?
5. How are administrative units different from groups in Azure Active Directory?
Azure AD administrative units are used to restrict the scope of administrative role assignments whereas Azure AD groups are used to manage users’ access to apps and resources. Using groups lets the resource owner (or Azure AD directory owner) assign a set of access permissions to all the members of the group, instead of having to provide the rights one-by-one. Read Manage app and resource access using Azure Active Directory groups to learn more.