Administrative Units (AUs) in Microsoft Entra ID (formerly Azure Active Directory, or Azure AD) are a feature that allows organizations to delegate administrative permissions and management of specific subsets of their directory in a controlled and scoped manner.
They provide a way to create administrative boundaries within a larger directory, allowing for more granular control over access and administrative tasks. Here are the key considerations and things to think about when working with Administrative Units (AUs) in Microsoft Entra ID:
1. What Are Administrative Units?
An Administrative Unit (AU) is a container within Microsoft Entra ID that you can use to organize and delegate administrative responsibilities for a subset of resources or users in your organization.
It is a logical boundary that allows you to apply role-based access control (RBAC) and manage user objects in a decentralized manner, without giving administrative rights over the entire directory.
AUs can be used for
Assigning specific users, groups, and devices to an administrative unit.
Delegating administrative roles to specific users or groups within the AU.
Managing resources for different regions, departments, or business units while limiting the scope of administrative permissions.
2. Key Use Cases for Administrative Units
AUs provide flexibility in managing Azure AD resources with specific control over access and administration.
Here are some key use cases to consider
Regional Administration
In large, geographically distributed organizations, AUs can be used to represent different regions or subsidiaries.
This allows regional administrators to manage users, groups, and other resources without impacting the global directory.
Departmental Administration
AUs can represent different departments (e.g., HR, Finance, IT), allowing managers or team leads to have control over users in their department without giving them broader administrative rights over the entire organization.
Business Units or Divisions
You can create AUs to represent business units, product teams, or specific divisions, each with tailored administrative control.
For example, the Sales team can manage its users and groups independently of the Marketing team.
Delegated Role Management
AUs allow you to assign role-based access control (RBAC) to a subset of the directory for specific administrative tasks, ensuring that the right people have the right level of access to manage their specific area.
3. Structure of Administrative Units
Administrative Units are logical containers and can be structured in the following ways:
Users
You can add individual users to an AU to manage them within a given scope (e.g., users in a specific region, department, or business unit).
Groups
Groups can also be assigned to an AU, allowing the AU to be used as a container for managing group membership and applying policies.
Devices
Devices (e.g., computers, mobile devices) can be included in AUs, allowing specific device management policies to be applied within the scope of an AU.
4. Role-Based Access Control (RBAC) in Administrative Units
One of the main reasons to use Administrative Units is to implement role-based access control (RBAC) at a more granular level.
Instead of assigning a user an admin role across the entire directory, you can assign admin roles at the AU level to allow delegation of administrative tasks.
Common roles that can be assigned within an AU include
Global Administrator (at the directory level) — The highest-level role, which can be scoped within an AU.
User Administrator — Manages user accounts, resets passwords, and manages user properties within an AU.
Groups Administrator — Manages groups within the scope of an AU.
Helpdesk Administrator — Provides support and administrative tasks related to user accounts within an AU.
Device Administrator — Manages devices within an AU.
Important Points
Roles assigned to AUs are scoped to the AU, and permissions are limited to the objects (users, groups, devices) within that AU.
Global Admins and Privileged Roles still have full access across the directory and can override AU restrictions.
5. Creating and Managing Administrative Units
To create and manage Administrative Units in Entra ID, you'll need appropriate admin permissions (typically Global Administrator or Privileged Role Administrator).
Steps to Create an AU in Azure Portal
Go to the Azure portal and navigate to Microsoft Entra ID > Administrative units.
Click + New administrative unit.
Define the AU name and description (e.g., Sales Team or North America Region).
Once the AU is created, you can start adding users, groups, and devices to it.
Assign roles: Once you have resources added to the AU, you can assign roles (e.g., User Administrator, Helpdesk Administrator) to the AU for specific users.
Managing AUs
You can add or remove users, groups, and devices from an AU as needed.
You can assign roles to users within the AU to give them administrative rights within the scope of that AU.
Keep in mind that an AU does not extend beyond the scope it was intended for.
It does not allow permissions to extend globally unless explicitly defined.
6. Considerations for Using Administrative Units
When designing your administrative unit structure, there are several things to consider:
1. Granularity and Scope of Permissions
Use caution with role assignments
Granting an administrative role at the AU level means the user or group can perform actions only within that AU.
Be sure to carefully define what level of administrative control is appropriate for each group of administrators.
Limit the use of high-privilege roles
Ensure that roles like Global Administrator or Privileged Role Administrator are assigned only to trusted personnel and avoid assigning them within AUs unless absolutely necessary.
2. Global vs. Local Administration
Remember that AUs allow for localized administrative control, but they do not limit the permissions of Global Administrators or users with similar global roles.
Global roles have overriding permissions across the entire directory, so it’s important to balance this with your AU design.
Differentiate administrative boundaries
You may want to create separate AUs for different regions, teams, or departments to minimize the risk of accidental exposure of sensitive data and provide better control over resources.
3. Azure AD License Requirement
Users assigned to administrative units must have an appropriate Azure AD license.
Ensure that the users and administrators who will manage or be part of an AU have the required licensing in place.
4. Delegation to External Users
You can use AUs for delegated administrative control to external contractors, partners, or suppliers.
For example, a regional manager from an external company can be given limited administrative rights to manage users or devices in their specific region.
5. Dynamic Membership and AUs
For dynamic groups, you can apply membership rules to automatically include users, groups, or devices that meet specific criteria (e.g., Department = "HR" or Country = "USA").
Dynamic groups can be assigned to an AU, making it easier to manage users across large organizations.
7. Reporting and Auditing
Administrative Units also support auditing, which allows you to track the actions taken within the AU.
This is useful for security and compliance purposes.
Audit logs can show
Role assignments within an AU.
Changes to AU membership (users, groups, devices).
Administrative actions taken by AU admins, such as adding or removing users.
8. Limitations and Best Practices
When implementing Administrative Units in Microsoft Entra ID, it's essential to be aware of some limitations and follow best practices:
Limitations
Global Admins have full access to all AUs, regardless of role assignments.
AUs cannot be nested within other AUs (they are flat).
A user or device can be a member of multiple AUs, but the roles assigned to the user in each AU are independent.
Best Practices
Plan your AU structure carefully
Think about your organizational structure, the need for delegated access, and who should have administrative control over specific subsets of users.
Minimize global admin roles
Assign global roles sparingly. Use AUs to delegate specific administrative roles wherever possible.
Regularly audit AU roles and memberships
To ensure that no excessive permissions are granted within an AU, conduct periodic audits.
Conclusion
Administrative Units (AUs) in Microsoft Entra ID provide a way to delegate administrative tasks and responsibilities to specific groups or regions, creating more granular control within the Azure AD environment.
By using AUs, you can limit the scope of administrative permissions, making it easier to manage access to resources while maintaining security and governance.
When using AUs, be sure to carefully design your organizational structure, balance role-based access control, and take advantage of dynamic membership and auditing to optimize your environment.
AUs provide flexibility for large, complex organizations that need to delegate administrative control without compromising the security and integrity of the overall directory.
Leave a Reply