Azure AD administrative units are containers for other Azure AD resources that allow delegating administrative rights. This article gives an overview of Azure AD administrative units, explains how to create them, and shows you how to assign rights.
Latest posts by Travis Roberts (see all)

The principle of least privilege states that users should have the minimum privileges necessary to perform a function or task. Minimal privileges are critical to securing any environment, including Azure AD. But for many organizations, Azure AD presents a problem. An organization may be divided by region, business unit, or department but rely on a single Azure AD tenant. How do they assign rights to a service desk for a specific region or department and limit access to only the users and groups they support?

For Windows AD, this problem is solved by delegation of control. A user or group is delegated rights to the organizational unit (OU) that contains the managed users and groups. Azure AD, however, is a flat directory and lacks OUs. This is the problem that Azure AD administrative units solve. Administrative units are containers for users and groups that enable delegating administrative rights to specific users.

Without Azure AD administrative units, assigning a user to the User Administrator role in Azure AD gives them rights to manage all Azure AD users. With administrative units, the user is delegated the same role, User Administrator, but that role only applies to the specified administrative unit. The administrative unit contains the users and groups that are under the scope of management.

Azure AD administrative units are a good option for enforcing the principle of least privilege, but there are some considerations. Unlike Windows AD OUs, where user objects exist in the OU, users are members of an administrative unit. This distinction is important because members have to be added or removed from an administrative unit to be included or excluded from the scope of management. Also, adding users to an administrative unit dynamically based on an object property is not supported.

Groups can also be added to the scope of management for an administrative group. Once added, group properties, members, and licensing settings can be updated. However, the users in that group are not included in the scope of management. Administrative unit management does not apply to the users in the group.

Administrative group inheritance

Administrative group inheritance

Lack of dynamic membership and group inheritance may appear to be significant limitations, but there is a good reason for these restrictions. The only roles that can create, manage, or remove administrative units are Global Admins and Privileged Role Admins.

If dynamic membership were allowed, it would be possible for someone other than a Global Admin or Privileged Role Admin to modify the user attribute and change administrative unit membership. For example, if an attribute such as "department" were sourced from Windows AD, a Windows AD Admin could modify the attribute and thereby change administrative unit membership. The same goes for group membership. If someone other than the Global Admin or Privileged Role Admin had the ability to change group membership, they could also modify administrative unit membership. Both of these scenarios would diminish the integrity of the administrative unit.

Below is a list of permissions available to manage administrative units along with the methods available for management. Notice that there is an option to bulk add and remove users based on a CSV file. Bulk operations by CSV file is a welcome option to update a large number of objects.

PermissionsGraph
PowerShell
Azure PortalMicrosoft 365 Admin Portal
Creating and deleting administrative unitsSupportedSupportedNot Supported
Adding and removing administrative unit members individuallySupportedSupportedNot Supported
Adding and removing administrative unit members in bulk by using CSV filesNot
Supported
SupportedNo Plans to Support
Assigning administrative unit-scoped administratorsSupportedSupportedNot Supported
Adding and removing administrative unit members dynamically based on attributesNot
Supported
Not
Supported
Not Supported

Users are assigned roles to manage the administrative unit once it is created. Permissions and methods to administrate users and groups include:

PermissionsGraph
PowerShell
Azure PortalMicrosoft 365 Admin Portal
Administrative unit-scoped management of user properties, passwords, and licensesSupportedSupportedSupported
Administrative unit-scoped blocking and unblocking of user sign-insSupportedSupportedSupported
Administrative unit-scoped management of user multifactor authentication credentialsSupportedSupportedNot Supported

Users and groups can exist in, and are managed from, the same administrative unit. As stated earlier, the scope of management does not extend to the users in the group. Users are added to the administrative unit individually or by a bulk operation. The permissions available for groups include:

PermissionsGraph
PowerShell
Azure PortalMicrosoft 365 Admin Portal
Administrative unit-scoped management of group properties and membersSupportedSupportedNot Supported
Administrative unit-scoped management of group licensingSupportedSupportedNot Supported

The options available to manage the properties of users and groups are different depending on where they are sourced. A user or group sourced from Windows AD and replicated to Azure AD with Azure AD Connect has less manageable properties than a user or group sourced from Azure AD.

Administrative units and privileged identity management ^

Azure administrative units are integrated with privileged identity management (PIM). This reinforces the principle of least privilege with just-in-time administrative access to an administrative unit. Azure PIM allows for the management, control, and monitoring of elevated access to Azure AD resources, including administrative units.

Azure administrative units and PIM are both Azure AD Premium features. An Azure AD Premium license is required for administrative access to administrative units. Users managed by administrative units do not need an Azure AD Premium license. Administrative unit members only require the Azure AD free license to be managed.

Create an administrative unit ^

The steps below create an administrative unit, add an administrator, and add users to the administrative unit.

Create an administrative unit by logging in as a Global Admin or Privileged Identity Admin, and go to Azure AD in the Azure Portal. Next, go to Administrative units under Manage.

Administrative units in Azure AD

Administrative units in Azure AD

Click Add at the top of the Administrative Unit portal to start the Administrative Unit wizard. Enter a name and an optional description.

Administrative unit properties

Administrative unit properties

To assign a role to manage the administrative unit, go on to Assign roles. Select a role to assign an administrative unit administrator. This example uses the User Administrator role.

Assign roles

Assign roles

Search for and select a user to assign the role. Click Add to create the assignment.

Add assignments

Add assignments

Go to Review + create to add the administrative unit and the role assignment. Click Create to finish the administrative unit.

Add administrative unit

Add administrative unit

Add a role assignment ^

Adding a user assignment when creating an administrative unit gives the user an active assignment. It is possible to make a user eligible by going into the administrative unit, then to Roles and administrators, and selecting a role.

Add eligible assignment

Add eligible assignment

The Assignments page displays the option to view and add active or eligible assignments. Eligible assignments enable the user to elevate their account when needed, with the option to restrict the length of time the user is eligible for elevated privileges.

Eligible and active assignments

Eligible and active assignments

Add members to the administrative unit ^

Once the administrative unit is created and roles are assigned, the next step is to add users or groups to manage. Add users by going to Users or Groups from within the administrative unit.

Users and groups

Users and groups

Users and groups

Click Add from the Users or Groups page to search for and add a user or group.

Add user or group

Add user or group

Individually adding users works for a small number of users or groups, but most organizations need a more robust method for adding or removing users. That's what the Bulk Operations option is for.

Bulk operations

Bulk operations

It is possible to add or remove users by a CSV file and download a list of current users in the administrative unit. Selecting Bulk add members displays three steps to help with the process. It provides a template with the headers needed in the CSV for the bulk add process. Below is an example of a template with three users added.

Bulk add template

Bulk add template

Note that both the version number and the "userUpn" header are required for CSV file bulk operations.

Once finished modifying the CSV, upload it to add the users to the administrative unit.

Subscribe to 4sysops newsletter!

Conclusion ^

Administrative units address a common complaint with Azure AD. They provide a method to delegate administration using role-based access control to a subset of Azure AD users or groups. How you group those users will depend on your environment. While some organizations will find geographical boundaries suitable for administrative units, others may find departments or business units to be more suitable. For other organizations, a combination would work best. However, they are deployed, administrative units provide a way of maintaining the principle of least privilege.

3 Comments
  1. Stephen Boyd (Rank: 2)
    11 months ago

    A question on this.

    The Administrative unit will restrict 'edit' access to the rest of AzureAD but it does not stop a priveledged role from seeing and opening objects outside the their Administrative unit from what I can tell.

    Is there a way to restrict a user admin of an administrative unit to only see objects in that unit and not the whole of AzureAD?

    Thanks

    • Author

      I don’t believe there is a way to prevent an account from viewing options in the directory.

      • Stephen Boyd (Rank: 2)
        11 months ago

        Thanks Travis. I wish they would go one more step and stop that. They (MS) must have a good reason for not doing that already. I just can't think what it might be. It certainly goes against least privilege.

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account