In recent discussions with the Microsoft 365 community, I’m often asked about the native capabilities of Microsoft 365 and the potential for extending those capabilities. In these conversations, tenant segmentation and least privileged access consistently emerge as some of the major challenges plaguing large Microsoft environments. And, of course, organizations are always looking for new ways to tighten the overall security of their tenant.
Microsoft’s solution? Azure AD (Entra ID) Administrative Units!
In this article, we'll explore Administrative Units (AUs):
Let's get started!
Admin Units, also known as Administrative Units (or AUs, for short), are a powerful feature within Microsoft 365 that enables administrators to organize and manage their tenant's resources more efficiently. You may be thinking:
The concept of “units” was (and still is) used primarily for on-premises environments. You can structure how you manage Active Directory by creating “Organizational Units” (OUs) to help delegate administration to various parties and apply policies. Administrative Units (AUs) were meant to mirror this for cloud environments using Azure Active Directory. Unfortunately, it is not as simple as looking at a 1:1 comparison between both.
Administrative Units are available as a public preview since December 2014, but the management of AUs was limited to Graph API and PowerShell. As of 2020 you can manage them via the Azure Portal.
Before we get into the technical side of things, let’s discuss why AUs might be important for a business:
While Admin Units can help you manage resources more efficiently, certain constraints may restrict their usability in some scenarios. Being aware of these limitations means you can design an effective administrative strategy, make informed decisions while you’re configuring your tenant, and avoid any unwelcome surprises.
Let's uncover some of the inherent limitations of Admin Units that you should be cognizant of during your tenant configuration and management activities.
Admin Units provide a means to delegate administrative tasks to specific groups within an organization. However, it's important to note that Admin Units cannot be nested. This means that if you have complex organizational structures requiring multiple levels of delegation, you may face limitations when utilizing Admin Units.
Assigning licenses to users can become challenging when working with Admin Units. As of now, license assignment is primarily based on the user's location in the tenant's hierarchy, rather than their association with an Admin Unit. This can pose difficulties when you want to assign specific licenses to users within a particular Admin Unit, independent of their position in the hierarchy.
When it comes to SharePoint and OneDrive, some limitations exist regarding the application of Admin Units. While you can assign users and groups to Admin Units, SharePoint and OneDrive permissions are still managed at the site collection and site level, rather than directly tied to Admin Units. This can impact the granularity of access control and governance within SharePoint and OneDrive.
Managing devices in Intune is not supported at this time.
From Microsoft’s article “Administrative units in Azure Active Directory” (as of Friday, July 7, 2023): “Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group. In other words, an administrator scoped to the administrative unit can manage properties of the group, such as group name or membership, but they cannot manage properties of the users or devices within that group (unless those users and devices are separately added as members of the administrative unit).
For example, a User Administrator scoped to an administrative unit that contains a group can and can't do the following:
The above adds another layer of complexity and means that with every distinct group membership change, every single user or device must be manually revisited (!) to determine if they belong to the correct AU or not. It only takes a few hundred users in a tenant to lose track of such changes, ... consider environments of large organizations with thousands and thousands of employees! Microsoft announced a preview of Dynamic Administrative Units to implement rules, specify a query based on user or device attributes and then maintain the membership for you, but it is still limited to only a subset of properties that you can work with to set this up.
Later in the article, we learn that:
“Administrative unit-scoped admins can use the Microsoft 365 admin centre for basic management of users in their administrative units. A group administrator with administrative unit scope can manage groups by using PowerShell, Microsoft Graph, and the Microsoft 365 admin centres.”
In practice, this means two things:
Finally, and in my opinion the most vulnerable fact about Administrative Units:
“Administrative units apply scope only to management permissions. They don't prevent members or administrators from using their default user permissions to browse other users, groups, or resources outside the administrative unit. In the Microsoft 365 admin centre, users outside a scoped admin's administrative units are filtered out. But you can browse other users in the Azure portal, PowerShell, and other Microsoft services.”
The fact above is mission critical. If one of our objectives is to tighten the security of our environment and be compliant with laws and regulations, then AUs will not be an answer for a challenge where organizations seek to delegate a portion of the tenant(s) to operators and completely lock them out from visibility on the entirety of it.
In July 2023 Microsoft announced the rebranding of Azure Active Directory to Entra ID. Functionally, it is still the same product. However, administrative units have been extended by “Restricted management administrative units,” available in public preview, which allow you to “protect specific objects in your tenant from modification by anyone other than a specific set of administrators that you designate.” (Microsoft) Unfortunately, they still seem to be limited to a specific set of attributes for that designation, for example, country-level administrators.
In summary, Administrative Units within Microsoft 365 present a potent feature in managing tenant resources effectively despite the current limitations. They allow for delegation of administrative tasks and add necessary structure to your tenant. However, their successful implementation demands careful planning, regular updating, and apt change management. Could segmenting your tenant be the answer?
Overcome the limitations of AUs with CoreView. Our Virtual Tenants™ allow you to:
Sound too good to be true? Hear from Dean Gilau, Microsoft 365 expert and administrator at Cloud Essentials, as he discusses how he transformed a 9,000-employee, multinational pharmaceutical company to address their need for both security and control in this 25-minute, on-demand webinar. Watch now.
If you’d like to learn more about CoreView’s Virtual Tenant solution, take a tour of CoreView to see how it works.
Like the article? Send your feedback to me at email@example.com. Ciao!