Table of Contents
What are Administrative units?
A management unit is an Azure AD resource that can be a container for other Azure AD resources. The management unit can only contain users, groups, or devices.
The management unit limits the permissions within the role to any part of the defined organization. For example, you can use administrative units to delegate roles to regional support specialists so that you can only manage users in the region you support
License requirements
Using administrative units requires an Azure AD Premium P1 license for each administrative unit administrator, and an Azure AD Free license for each administrative unit member. If you are using dynamic membership rules for administrative units, each administrative unit member requires an Azure AD Premium P1 license.
Currently supported scenarios
As a Global Administrator or a Privileged Role Administrator, you can use the Azure portal to:
- Create administrative units
- Add users, groups, or devices as members of administrative units
- Manage users or devices for an administrative unit with dynamic membership rules (Preview)
- Assign IT staff to administrative unit-scoped administrator roles.
Administrative unit management
Permissions | Microsoft Graph/PowerShell | Azure portal | Microsoft 365 admin center |
---|---|---|---|
Create or delete administrative units | ✔️ | ✔️ | ❌ |
Add or remove members individually | ✔️ | ✔️ | ❌ |
Add or remove members in bulk by using CSV files | ❌ | ✔️ | No plan to support |
Assign administrative unit-scoped administrators | ✔️ | ✔️ | ❌ |
Add or remove users or devices dynamically based on rules (Preview) | ✔️ | ✔️ | ❌ |
Add or remove groups dynamically based on rules | ❌ | ❌ | ❌ |
User management
Permissions | Microsoft Graph/PowerShell | Azure portal | Microsoft 365 admin center |
---|---|---|---|
Administrative unit-scoped management of user properties, passwords | ✔️ | ✔️ | ✔️ |
Administrative unit-scoped management of user licenses | ✔️ | ❌ | ✔️ |
Administrative unit-scoped blocking and unblocking of user sign-ins | ✔️ | ✔️ | ✔️ |
Administrative unit-scoped management of user multi-factor authentication credentials | ✔️ | ✔️ | ❌ |
Group management
Permissions | Microsoft Graph/PowerShell | Azure portal | Microsoft 365 admin center |
---|---|---|---|
Administrative unit-scoped management of group properties and membership | ✔️ | ✔️ | ❌ |
Administrative unit-scoped management of group licensing | ✔️ | ✔️ | ❌ |
Device management
Permissions | Microsoft Graph/PowerShell | Azure portal | Microsoft 365 admin center |
---|---|---|---|
Enable, disable, or delete devices | ✔️ | ✔️ | ❌ |
Read Bitlocker recovery keys | ✔️ | ✔️ | ❌ |
Limitations
Here are some of the constraints for administrative units.
- Administrative units can’t be nested.
- Administrative unit-scoped user account administrators can’t create or delete users.
- A scoped role assignment doesn’t apply to members of groups added to an administrative unit, unless the group members are directly added to the administrative unit. For more information, see Add members to an administrative unit.
- Administrative units are currently not available in Azure AD Identity Governance.
Roles to AU
GUI
Open https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AdminUnit
Create a AU and assign roles
Roles that can be applied.
PowerShell way
1 2 3 4 5 6 |
$adminUser = Get-AzureADUser -ObjectId "Use the user's UPN, who would be an admin on this unit" $role = Get-AzureADDirectoryRole | Where-Object -Property DisplayName -EQ -Value "User Administrator" $adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'The display name of the unit'" $roleMember = New-Object -TypeName Microsoft.Open.MSGraph.Model.MsRoleMemberInfo $roleMember.Id = $adminUser.ObjectId Add-AzureADMSScopedRoleMembership -Id $adminUnitObj.Id -RoleId $role.ObjectId -RoleMemberInfo $roleMember |
But there is also new features
Devices
From GUI
PowerShell way
1 2 3 |
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'devices'" $deviceObj = Get-AzureADDevice -Filter "displayname eq 'MyDevice'" Add-AzureADMSAdministrativeUnitMember -Id $adminUnitObj.Id -RefObjectId $deviceObj.ObjectId |
And also for membership.
Dynamic membership
From GUI
Seems really familiar.
So You could also use attributes from on-premises AD if needed.
PowerShell way
1 2 |
# Create an administrative unit for users in the Finland $adminUnit = New-AzureADMSAdministrativeUnit -DisplayName "Example Admin Unit" -Description "Example Dynamic Membership Admin Unit" -MembershipType "Dynamic" -MembershipRuleProcessingState "On" -MembershipRule '(user.country -eq "Finland")' |
1 2 |
# Set a new dynamic membership rule for an administrative unit Set-AzureADMSAdministrativeUnit -Id $adminUnit.Id -MembershipRule '(user.country -eq "Finland")' |