Larger organizations almost always subdivide administrative responsibilities as a way of keeping any one person from having excessive permissions and as a way of keeping administrators from being overburdened with too many responsibilities. Historically, Active Directory domains were often used to limit the scope of administrative authority. An administrator might, for instance, have administrative permissions in one Active Directory domain, but not another. Even though the need for limiting administrative scope has been well established, separation of administrative boundaries has typically been difficult to achieve in Microsoft 365. While there are role-based access control mechanisms that can be used to control what an administrator is able to do in the various Microsoft Office applications, all of those applications have a dependency on Azure AD, and limiting administrative scope in Azure AD can be difficult. One of the best tools for limiting administrative scope in Azure AD is a mechanism called administrative units. Before I show you how administrative units work, I need to point out that to use them you will need an Azure AD Premium license in addition to your Microsoft 365 licenses.
To create an administrative unit, open the Azure Active Directory admin center and then click on the administrative units tab. You can find this tab in the Manage section, as shown in the screenshot below.
Click the Add button to create a new administrative unit. Upon doing so, you will see a screen like the one that is shown below, asking you to provide a name and a description for the new administrative unit. It’s a good idea to use a name that reflects the administrative unit’s purpose. Suppose, for example, that you were creating a separate administrative unit for each of your organization’s branch offices. You might name the administrative unit after the office that it will service.
The next step in the process is to assign roles to the administrative unit. Click on the Next: Assign Roles button shown at the bottom of the previous figure. When you do, you will be taken to the Assign Roles screen, shown in the next figure.
You are going to need to assign some roles to the new administrative unit. And as you look at the screenshot above, you can see that there are several predefined roles that can be assigned to the new Azure AD administrative unit. A description appears just to the right of each role name. For example, a Groups Administrator has the ability to perform group management tasks within the scope of the administrative unit.
When you assign a role to an administrative unit, you must also tell Microsoft 365 who will be performing the role. For example, suppose for a moment that you decide to add a Groups Administrator to the new administrative unit that you are creating. You might have noticed in the previous screenshot that all of the role names are hyperlinked. Clicking on the Groups Administrator role (or on any other role for that matter) causes the Azure Active Directory admin center to display a list of the users within your organization. You will need to click on the user accounts to whom you want to delegate the role. As you do, those users are added to a Selected Items list. If you accidentally add the wrong user to this list, you can use a Remove button to remove the user from the list. You can see what this looks like in the screenshot below.
Once the list of selected users is complete, click the Add button. When you do, you should see the Assigned count increase for the selected role. Now, go ahead and assign any other required roles. When you are done, click the Review + Create button. This will cause the Azure Active Directory Admin Center to display the role’s name and description, as well as any role assignments that you are making. Take a moment and verify that all of these details are correct. Assuming that everything looks good, go ahead and click the Create button. You will now see the new administrative unit listed within the administrative units tab, as shown below.
Even though we have created an administrative unit, it doesn’t do anything yet. As it stands right now, the administrative unit is just a collection of role assignments that don’t pertain to anything.
The key to using administrative units as a tool for allowing administrators to manage resources, but within a limited scope, is to add resources to the administrative unit. You can add users and groups. Admins will be able to manage these users and groups within the scope of the role assignments that you made earlier.
To add users and groups to an administrative unit, click on the administrative unit. This will take you to a screen like the one that is shown below.
As you can see in the figure, this screen contains tabs for both users and groups. You can add users by going to the Users tab and clicking the Add Member button. When you do, you will see a list of users. You can add users to the administrative unit simply by selecting them. When you are done, click the Select button. Group assignments work in exactly the same way.
One thing to keep in mind is that when you add users and groups to an administrative unit: You are not making any changes to the user’s or group’s permissions. You are simply giving permission for the role members (the administrators) to manage the users and groups within the context of the role assignments that you put into place earlier. Of course, you can always go back and change these role assignments later on.
Featured image: Shutterstock