Azure AD administrative units: A go-to tool for Microsoft 365 administration

Larger organizations almost always subdivide administrative responsibilities as a way of keeping any one person from having excessive permissions and as a way of keeping administrators from being overburdened with too many responsibilities. Historically, Active Directory domains were often used to limit the scope of administrative authority. An administrator might, for instance, have administrative permissions in one Active Directory domain, but not another. Even though the need for limiting administrative scope has been well established, separation of administrative boundaries has typically been difficult to achieve in Microsoft 365. While there are role-based access control mechanisms that can be used to control what an administrator is able to do in the various Microsoft Office applications, all of those applications have a dependency on Azure AD, and limiting administrative scope in Azure AD can be difficult. One of the best tools for limiting administrative scope in Azure AD is a mechanism called administrative units. Before I show you how administrative units work, I need to point out that to use them you will need an Azure AD Premium license in addition to your Microsoft 365 licenses.

To create an administrative unit, open the Azure Active Directory admin center and then click on the administrative units tab. You can find this tab in the Manage section, as shown in the screenshot below.

Click the Add button to create a new administrative unit. Upon doing so, you will see a screen like the one that is shown below, asking you to provide a name and a description for the new administrative unit. It’s a good idea to use a name that reflects the administrative unit’s purpose. Suppose, for example, that you were creating a separate administrative unit for each of your organization’s branch offices. You might name the administrative unit after the office that it will service.

The next step in the process is to assign roles to the administrative unit. Click on the Next: Assign Roles button shown at the bottom of the previous figure. When you do, you will be taken to the Assign Roles screen, shown in the next figure.

You are going to need to assign some roles to the new administrative unit. And as you look at the screenshot above, you can see that there are several predefined roles that can be assigned to the new Azure AD administrative unit. A description appears just to the right of each role name. For example, a Groups Administrator has the ability to perform group management tasks within the scope of the administrative unit.

When you assign a role to an administrative unit, you must also tell Microsoft 365 who will be performing the role. For example, suppose for a moment that you decide to add a Groups Administrator to the new administrative unit that you are creating. You might have noticed in the previous screenshot that all of the role names are hyperlinked. Clicking on the Groups Administrator role (or on any other role for that matter) causes the Azure Active Directory admin center to display a list of the users within your organization. You will need to click on the user accounts to whom you want to delegate the role. As you do, those users are added to a Selected Items list. If you accidentally add the wrong user to this list, you can use a Remove button to remove the user from the list. You can see what this looks like in the screenshot below.

Once the list of selected users is complete, click the Add button. When you do, you should see the Assigned count increase for the selected role. Now, go ahead and assign any other required roles. When you are done, click the Review + Create button. This will cause the Azure Active Directory Admin Center to display the role’s name and description, as well as any role assignments that you are making. Take a moment and verify that all of these details are correct. Assuming that everything looks good, go ahead and click the Create button. You will now see the new administrative unit listed within the administrative units tab, as shown below.

Even though we have created an administrative unit, it doesn’t do anything yet. As it stands right now, the administrative unit is just a collection of role assignments that don’t pertain to anything.

The key to using administrative units as a tool for allowing administrators to manage resources, but within a limited scope, is to add resources to the administrative unit. You can add users and groups. Admins will be able to manage these users and groups within the scope of the role assignments that you made earlier.

To add users and groups to an administrative unit, click on the administrative unit. This will take you to a screen like the one that is shown below.

As you can see in the figure, this screen contains tabs for both users and groups. You can add users by going to the Users tab and clicking the Add Member button. When you do, you will see a list of users. You can add users to the administrative unit simply by selecting them. When you are done, click the Select button. Group assignments work in exactly the same way.

One thing to keep in mind is that when you add users and groups to an administrative unit: You are not making any changes to the user’s or group’s permissions. You are simply giving permission for the role members (the administrators) to manage the users and groups within the context of the role assignments that you put into place earlier. Of course, you can always go back and change these role assignments later on.

Featured image: Shutterstock

Brien Posey

Brien Posey is a freelance technology author and speaker with over two decades of IT experience. Prior to going freelance, Brien was a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network engineer for the United States Department of Defense at Fort Knox. In addition, Brien has worked as a network administrator for some of the largest insurance companies in America. To date, Brien has received Microsoft’s MVP award numerous times in categories including Windows Server, IIS, Exchange Server, and File Systems / Storage. You can visit Brien’s Website at:

Published by
Brien Posey

Recent Posts

Operational technology security: Boost it or suffer the consequences

Companies with robust IT cyberthreat defenses don’t always have a strong operational technology security structure…

3 days ago

Running containers and virtual machines on the same bare-metal cloud

Implementing containers and virtual machines on the same bare-metal cloud can provide a cost-efficient way…

3 days ago

Global IT spending to rebound 8.4% in 2021: Gartner

IT spending in 2021 is expected to reverse its pandemic-related decline in 2020, according to…

4 days ago

Setting up Mac Mail and Outlook on Exchange 2016

Setting up Mac Mail and Microsoft Outlook on Exchange 2016 is not difficult, although there…

4 days ago

Which type of PowerShell loop should you be using?

PowerShell supports several types of loops, but not all loops are interchangeable in your scripts.…

4 days ago

Docker raises $23M — Will its new developer focus hold up to reality?

Docker has received an influx of cash as it bets on a developers’ community that…

5 days ago