Administrative units in Azure AD
Administrative units is an Azure AD features. She contains only users, groups or devices and permit to restrict permissions in a role. One user can be members of multiple administrative units(by division and country for example.
The administrative units can’t be nested. Administrators of user accounts in the administrative unit are unable to create or delete user accounts. Adding a group to an administrative unit adds it to the administrative unit’s management perimeter. The member of the group are not added to this perimeter. It will therefore be possible for an administrator scoped to administrative units to perform only the following operations
- Manage the name of the group
- Manage the membership of the group
Administrative units requires an Azure AD P1 license for each administrative unit administrator. Each administrative unit member must be hve an Azure AD free license.
Manage administrative units
Administrative units can be managing with Azure Portal, Powershell CmdLets , Scripts or Microsoft Graph API.
Create administrative units
For create administrative units, the license must be assigned to the administrative unit administrator (Azure AD P1) and to the members (Azure AD free). The role Privileged Role Administrator or Global Administrator is a prerequisites for create administrative units.
From the Azure portal, select Azure Active Directory then Administrative units. Click on Add to add new Administrative units.
Enter the name then click on Next.
Select the desired roles then add the desired User Administrator. Click on Add then on Review + Create.
Administrative Units is created.
Add Azure AD object
Select the desired Administrative unit then click on the desired objects types (Users, Groups or Devices) then click on Add member. I choose the User administrator roles, so i add user account.
Select the desired object then click on Select. The object has been added.
Add administrator of Administrative unit
From the Azure AD portal, click on Azure Active Directory then on Roles and administrators. Select the desired role.
Click on Add assignments in the central blade.
Select Administrative unit in Scope type then select a user.
Click on No scope selected then select the desired Administrative unit.
Account has been added.
Test Administrative unit
We can now test the administrative units. I used my user account for connect to the Azure AD portal. This user has no administrative right. He is only administrator user of the administrative unit.
User has no right on the devices blade.
I try to edit properties for one user that is not on the scope of the administrative unit. The user modify the properties.
If I try to edit properties to the user in the scope. The operation can be processed.