ENow Blog | Azure & Active Directory Center

Administrative Units Management in Azure Active Directory

Written by Dominik Hoefling MVP | May 20, 2020 9:43:01 PM

Administrative Units Management in Azure Active Directory

Since writing this blog post in May 2018 about administrative units, some things have finally been changed. As this feature is still in preview, it can now be managed in the Azure portal and with Microsoft Graph. But before we go into more detail, let's do a quick heads-up what administrative units are used for. 

Microsoft 365 comes with a set of admin roles that can be assigned to users within your organization. Each admin role maps to common business functions and gives your users permissions to do specific tasks in the Office 365 admin center and Windows PowerShell. This is not something new (except some new admin roles), but the same problems still exists: there is no real delegation of permissions possible within the whole Microsoft 365 ecosystem. Administrative units can solve this problem by allowing you to grant admin permissions that are restricted to a department, region, or other segments of your organization. It simply groups your users into logical units. An admin will be able to perform various tasks against all users within the scope of an administrative unit. 

Using administrative units requires an P1 or P2 license for each administrative unit admin. All members within these administrative units don't require any premium license. 

Configure and Manage Administrative Units

In this preview release, you can manage and configure administrative units via PowerShell cmdlets and scripts, Microsoft Graph, or the Azure portal which will be covered in this blog post. Have a look at the Microsoft documentation which features can be configured with each method. 

To add an administrative unit, switch to the Azure portal, Azure Active Directory and then Administrative units (Preview). Click on Add. 

After the administrative unit has been created, you can add members - currently only users and groups - to it and assign roles and administrators. 

As for today, the following admin roles are available: 

- Authentication administrator
- Groups administrator
- Helpdesk administrator
- License administrator
- Password administrator 
- User administrator

If you click on any role, you can find a detailed description of what permissions are being used with this role. For example, the authentication administrator tool looks like this: 

Let's assume our user Christie Cline will be allowed to manage her authentication settings on her own using the Azure portal. We have to add Christie as a member of the recently created administrative unit and assign an administrative role. In this case, she is the authentication administrator for her own identity. 

Christie can now login to the Microsoft 365 admin portal and she only can see her own account. On the left picture there is a global administrator and on the right Christie as the authentication administrator: 



Note: Christie can see all users and some of their properties in the Azure portal and also via PowerShell. Only in the Microsoft 365 admin center are all other accounts not visible. And therefore, it's not a real delegation because this could be critical to some organizations due to security and compliance regulations. 

Summary

Administrative units now provide an easy way to manage delegated permissions in the Azure portal and via Microsoft Graph. But there are only a subset of administrative roles available and the management is still in an early preview state as only users and groups can be added. Microsoft is working hard on this feature and we will see improvements in the future. Nevertheless, it's a good way to delegate permissions to different administrators and departments within your organization. 

Monitor Your Hybrid - Office 365 Environment with ENow

ENow’s Office 365 Monitoring solution is like your own personal outage detector that pertains solely to you environment. ENow’s solution monitors all crucial components including your hybrid servers, the network, and Office 365 from a single pane of glass. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.