In recent discussions with the Microsoft 365 community, I’m often asked about the native capabilities of Microsoft 365 and the potential for extending those capabilities. In these conversations, tenant segmentation and least privileged access consistently emerge as some of the major challenges plaguing large Microsoft environments. And, of course, organizations are always looking for new ways to tighten the overall security of their tenant.  

Microsoft’s solution? Azure AD (Entra ID) Administrative Units!

In this article, we'll explore Administrative Units (AUs):

• Limitations of Admin Units
• Why use Admin Units
• Alternative solutions for tenant segmentation

Let's get started!

What are Admin Units?

Admin Units, also known as Administrative Units (or AUs, for short), are a powerful feature within Microsoft 365 that enables administrators to organize and manage their tenant's resources more efficiently. You may be thinking:  

• Can all types of resources (for example, users, groups, devices etc.) be managed through administrative units?  
• Are there any limitations that come with them?  
• Is there anything that can extend AUs capabilities?  

Let’s explore.

The concept of “units” was (and still is) used primarily for on-premises environments. You can structure how you manage Active Directory by creating “Organizational Units” (OUs) to help delegate administration to various parties and apply policies. Administrative Units (AUs) were meant to mirror this for cloud environments using Azure Active Directory. Unfortunately, it is not as simple as looking at a 1:1 comparison between both.  

Administrative Units are available as a public preview since December 2014, but the management of AUs was limited to Graph API and PowerShell. As of 2020 you can manage them via the Azure Portal.

Why consider implementing Administrative Units?

Before we get into the technical side of things, let’s discuss why AUs might be important for a business:  

1. You’re required to comply with any laws and internal/external regulations and maintain your overall security posture.
   Your organization may need to adhere to strict compliance regulations, meaning that whoever is working with personally identifiable information (“PII”) data can only see and/or manage a portion of data that is directly connected to their scope of work.  
2. You want to remove bottlenecks and improve efficiency.
   By cutting off access to the entirety of the M365 tenant but still empowering your employees to work autonomously on their “bucket” of information, you are helping remove unnecessary bottlenecks and speeding up the delivery/resolution times.
3. It’s a best practice to keep your environment logically organized and tidy.
   ‍I know… this one should not need any additional commentary! Except that “housekeeping” is often overlooked. Unfortunately, over time, poor housekeeping produces many errors and frustrations for IT teams. This can be avoided if the environment is “sliced and diced” in an easily manageable (and reversible!) way.  

Limitations of Admin Units

While Admin Units can help you manage resources more efficiently, certain constraints may restrict their usability in some scenarios. Being aware of these limitations means you can design an effective administrative strategy, make informed decisions while you’re configuring your tenant, and avoid any unwelcome surprises.  

Let's uncover some of the inherent limitations of Admin Units that you should be cognizant of during your tenant configuration and management activities.

Lack of hierarchy

Admin Units provide a means to delegate administrative tasks to specific groups within an organization. However, it's important to note that Admin Units cannot be nested. This means that if you have complex organizational structures requiring multiple levels of delegation, you may face limitations when utilizing Admin Units.  

Difficulties with license assignment

Assigning licenses to users can become challenging when working with Admin Units. As of now, license assignment is primarily based on the user's location in the tenant's hierarchy, rather than their association with an Admin Unit. This can pose difficulties when you want to assign specific licenses to users within a particular Admin Unit, independent of their position in the hierarchy.  

Limitations in SharePoint and OneDrive

When it comes to SharePoint and OneDrive, some limitations exist regarding the application of Admin Units. While you can assign users and groups to Admin Units, SharePoint and OneDrive permissions are still managed at the site collection and site level, rather than directly tied to Admin Units. This can impact the granularity of access control and governance within SharePoint and OneDrive.  

Lack of Support for Device Management in Intune

Managing devices in Intune is not supported at this time.  

Complexities of User and Group Property Management

From Microsoft’s article “Administrative units in Azure Active Directory” (as of Friday, July 7, 2023): “Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group. In other words, an administrator scoped to the administrative unit can manage properties of the group, such as group name or membership, but they cannot manage properties of the users or devices within that group (unless those users and devices are separately added as members of the administrative unit).

For example, a User Administrator scoped to an administrative unit that contains a group can and can't do the following:

Permissions	Can do
Manage the name of the group
Manage the membership of the group
Manage the user properties for individual members of the group
Manage the user authentication methods of individual members of the group
Reset the passwords of individual members of the group

The above adds another layer of complexity and means that with every distinct group membership change, every single user or device must be manually revisited (!) to determine if they belong to the correct AU or not. It only takes a few hundred users in a tenant to lose track of such changes, ... consider environments of large organizations with thousands and thousands of employees! Microsoft announced a preview of Dynamic Administrative Units to implement rules, specify a query based on user or device attributes and then maintain the membership for you, but it is still limited to only a subset of properties that you can work with to set this up.

Later in the article, we learn that:  

“Administrative unit-scoped admins can use the Microsoft 365 admin centre for basic management of users in their administrative units. A group administrator with administrative unit scope can manage groups by using PowerShell, Microsoft Graph, and the Microsoft 365 admin centres.”

In practice, this means two things:  

1. You must make sure that your administrators are highly skilled operators with fluent PowerShell/Graph expertise  
2. It will take significantly longer for your IT superheroes to execute tasks that could take seconds. PowerShell/Graph scripting takes time, even using basic cmdlets, triple checking that the script is not going to harm the environment and cause any security breaches or monetary loss to the organization

Lingering Security Implications

Finally, and in my opinion the most vulnerable fact about Administrative Units:  

“Administrative units apply scope only to management permissions. They don't prevent members or administrators from using their default user permissions to browse other users, groups, or resources outside the administrative unit. In the Microsoft 365 admin centre, users outside a scoped admin's administrative units are filtered out. But you can browse other users in the Azure portal, PowerShell, and other Microsoft services.”  

The fact above is mission critical. If one of our objectives is to tighten the security of our environment and be compliant with laws and regulations, then AUs will not be an answer for a challenge where organizations seek to delegate a portion of the tenant(s) to operators and completely lock them out from visibility on the entirety of it.

1. Planning and Design: Creating an effective Admin Unit structure requires careful planning and consideration of your organization's hierarchy, business requirements, and future scalability. It is important to define clear boundaries for each Admin Unit and ensure that they align with your organization's structure and policies.  
2. User and Group Management: Maintaining user and group memberships within Admin Units can be a challenge, especially in large organizations with dynamic user movements. Regularly reviewing and updating Admin Unit memberships is essential to ensure accurate access control and delegation.  
3. Change Management: Introducing Admin Units to an existing Microsoft 365 environment may require adjustments to the existing configuration, security settings, and user permissions. Communicating these changes effectively and managing user expectations are crucial to minimize disruption and ensure a smooth transition.

In July 2023 Microsoft announced the rebranding of Azure Active Directory to Entra ID. Functionally, it is still the same product. However, administrative units have been extended by “Restricted management administrative units,” available in public preview, which allow you to “protect specific objects in your tenant from modification by anyone other than a specific set of administrators that you designate.” (Microsoft) Unfortunately, they still seem to be limited to a specific set of attributes for that designation, for example, country-level administrators.

So what?  

In summary, Administrative Units within Microsoft 365 present a potent feature in managing tenant resources effectively despite the current limitations. They allow for delegation of administrative tasks and add necessary structure to your tenant. However, their successful implementation demands careful planning, regular updating, and apt change management. Could segmenting your tenant be the answer?

Overcome the limitations of AUs with CoreView. Our Virtual Tenants™ allow you to:  

• Simply slice and dice your tenant(s) based on different attributes, phone numbers, devices, SharePoint sites, etc.
• Dynamically adjust those “slices” to mirror changes in your environment.
• Restrict your operators to only see and manage a portion of your tenant—no scripting or admin privileges required!

Sound too good to be true? Hear from Dean Gilau, Microsoft 365 expert and administrator at Cloud Essentials, as he discusses how he transformed a 9,000-employee, multinational pharmaceutical company to address their need for both security and control in this 25-minute, on-demand webinar. Watch now.

If you’d like to learn more about CoreView’s Virtual Tenant solution, take a tour of CoreView to see how it works.

Like the article? Send your feedback to me at kasia.nowicka@coreview.com. Ciao!