When coming from the on-premises world and into the world of cloud identity and access management, one of the concepts to understand is how to create Entra ID administrative units. This detailed AZ-104 Create Entra ID administrative units guide will help you understand Microsoft Entra ID administrative units, what they are, and how they are configured.

What are Microsoft Entra ID Administrative units (AU)?

Microsoft Entra ID Administrative Units (AUs) (Azure AD administrative units) are a fundamental element in Azure Active Directory (Azure AD), allowing admins to control permissions in a granular way.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

By creating these admin units, you can simplify the management of Microsoft Entra ID from a permissions perspective. Administrative units apply to not only users but also groups. The Global administrator, Privileged Role Administrator, and User Administrator by default are the administrative unit administrator roles.

Understanding Administrative Unit Scope

Grasping the concept of Administrative Unit Scope is vital as it defines the extent to which the resources and permissions are managed within an administrative unit. It lays the foundation for efficient Microsoft Entra ID management.

You can restrict the permissions in a role to a portion of your organization that is needed. For example, many organizations may define administrative units for delegating support roles to specific regions. It is important to understand that users can also be a member of multiple administrative units, depending on resource access needs. You could have a help desk technician who is a member of the “New York” and “IT” administrative units.

Download Banner

Things to understand about groups

Incorporating a group into an administrative unit places the group within the administrative unit’s management scope, yet it doesn’t extend to the members of the group. Essentially, an administrator with a scope confined to the administrative unit has the authority to manage aspects of the group, like its name or membership.

However, they lack the authority to manage the properties of the users or devices within that group, unless those users and devices are independently included as members of the administrative unit.

Usefulness in large organizations

The administrative unit can be especially useful in very large organizations where you may have administrators who should have access and control limited to their specific business unit or division.

Microsoft provides an example of a large university that has many divisions and smaller educational structures underneath.

In the infographic below, each administrative unit has a user admin, groups admin, license admin, and helpdesk admin. The administrative unit scoped permissions for each of the administrators ensures their admin privileges only extend to their business unit.

Microsoft Entra ID

Limitations of administrative units

There are a couple of limitations of administrative units to note:

  • Unlike Organizational Units in Active Directory Domain Services (AD DS), you can’t nest Administrative Units (AUs)
  • AUs are not available in Microsoft Entra ID Governance

Roles that can be assigned within an AU

There are a few roles that can be assigned within an AU:

  • Authentication administrator
  • Groups administrator
  • Help desk administrator
  • License administrator
  • Password administrator
  • User administrator

The Process to create administrative units and manage users

Creating Entra ID Administrative Units is a methodical process that demands a thorough understanding of Azure AD and Microsoft Entra ID. This section elaborates on the step-by-step process to create an administrative unit in Azure AD.

First, navigate to Manage > Administrative units.

Microsoft Entra ID

This launches the Add administrative unit wizard. Name the AU and enter a description (optional). You can also set the AU to Restricted management administrative unit. What is this? The restricted management administrative units mark the administrative unit for restricted management if you don’t want tenant-level administrators to be inherited to roles in this administrative unit.

Microsoft Entra ID

On the Assign roles page, we can assign users to the roles listed. Here, we are going to assign a Helpdesk Administrator. Click the role. Below we see all the administrative units’ roles. Using the roles with administrative units applies scope to the assignees.

Microsoft Entra ID

Next, we assign the users that will be members of that role. Click Add.

Entra ID

Now, we see we have (1) assigned. Click Review + create.

Entra ID

Finally, click Create.

Entra ID

The administrative unit is created successfully.

Entra ID

Adding members to an administrative unit

Now, we need to add members to the administrative unit that the new Helpdesk administrator will be allowed to manage.

Azure Entra ID

Select the users and then click Select.

Azure Entra ID

The user has now been added to the new administrative unit.

Azure Entra ID

Dynamic Membership Rules

Dynamic Membership Rules offer automation in managing group membership within administrative units. Understanding these rules is crucial as they automate the process of adding or removing members based on predefined criteria.

Frequently Asked Questions

What tools are essential for creating Entra ID Administrative Units?

  • Azure Portal and Azure AD Admin Center are primary tools for creating and managing administrative units. Additionally, understanding Microsoft Graph API is beneficial for programmatically managing Azure AD resources.

How do Dynamic Membership Rules enhance Administrative Units management?

  • Dynamic Membership Rules automate managing group memberships within administrative units, ensuring a dynamic and efficient administration.

What roles can manage Administrative Units?

  • Roles like Global Administrator, Privileged Role Administrator, and User Administrator have the necessary permissions to manage administrative units, making them crucial roles in Azure AD management.

Is there a limit to the number of Administrative Units one can create?

  • There isn’t a specified limit on the number of administrative units you can create. However, organizing them efficiently is crucial to ensure streamlined Azure AD management.

Can I assign administrative roles to specific Administrative Units?

  • Yes, assigning administrative roles to specific administrative units is possible and is a part of managing administrative permissions efficiently within Azure AD.

Wrapping up

In this guide, we have looked more closely at administrative units, what they are, and how you create them. Be familiar with creating Entra ID Administrative Units for the AZ-104 exam. With a structured approach to managing Azure AD resources, mastering administrative units helps to enforce security boundaries, role-based access control (RBAC), and other best practices.

Read More:

Microsoft Azure Administrator: AZ-104: Microsoft Azure AD Join – Part 8

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post