Table of Contents
An administrative unit (AU) in Azure AD is a container that can hold users, groups, and other AUs. You can delegate administrative responsibilities by assigning roles at the AU level, thus confining the permissions to that specific unit. For example, a departmental IT admin can be given control over user accounts within their department’s AU without extending that control to the entire Azure directory.
Here’s how to create an administrative unit:
Once an AU is created, you can start adding members or other groups to that unit.
To add members such as users or groups to an AU, follow these steps:
Role assignment in AUs is what enables administrators to manage specific tasks within their domain of responsibility:
Role | Permission Level | Example Use Case |
---|---|---|
User Administrator | Manage users and reset passwords | Department IT support |
Groups Administrator | Manage group memberships and settings | Project team leaders |
Application Administrator | Manage application registrations | Central IT application support team |
Global Reader | Read-only access across the directory | Auditors or compliance officers |
By tailoring these role assignments, organizations can provide necessary administrative access to support structure without compromising broader security or administrative control.
Administrative units enable organizations to delegate administrative tasks with a level of precision suitable to their structural complexity. By allowing role assignments within a confined scope, AUs can help maintain a secure and orderly Azure environment, ensuring that administrative access is distributed appropriately without unnecessary elevation of permissions. This contributes towards a minimized risk footprint and adherence to the principle of least privilege in access management.
Administrative Units are designed primarily to delegate administrative tasks on users, groups, and devices, not Azure resources like VMs or storage accounts.
Answer: A
Global Administrators have the necessary permissions to create Administrative Units in Azure.
Azure allows the name of an Administrative Unit to be changed after its creation through the Azure portal, PowerShell, or the Azure AD Graph API.
Answer: D
Various Azure AD roles, including but not limited to the ones listed, can be scoped to Administrative Units.
Administrative Units in Azure AD cannot be nested within each other unlike Organizational Units in Active Directory.
Answer: D
As of the knowledge cutoff date, an Azure AD organization can have up to 500 Administrative Units.
A user can be assigned the same role in multiple Administrative Units, allowing for granular access control across different units.
Answer: B
The Administrative Units feature requires an Azure AD Premium P1 or P2 license.
The Global reader role has view-only permissions and can see Administrative Units but is not able to manage them.
Answer: B
Administrative Units scope administrative tasks, such as resetting passwords for users, rather than managing Azure resources or roles on resources.
As of the knowledge cutoff date, only built-in roles can be scoped to Administrative Units. Custom roles are not supported.
Answer: B
A common use case for Administrative Units is to delegate permissions to manage users and groups within specific departments or geographic regions.
Administrative units (AUs) in Azure AD are used to organize and delegate administrative tasks to specific groups of administrators. AUs allow you to control access to specific groups of users, devices, or applications within your organization.
To create an administrative unit in Azure AD, you can navigate to the “Azure Active Directory” section in the Azure portal, select “Administrative units”, and then click on “+ New”. You can then enter a name and description for the administrative unit, and add members and roles as needed.
The purpose of creating administrative units in Azure AD is to provide better organization and control over Azure AD resources, and to efficiently delegate administrative tasks to specific groups of administrators.
Yes, you can assign custom roles to members of an administrative unit in Azure AD. Azure AD has built-in roles that you can use, or you can create custom roles as needed.
You can manage the members of an administrative unit in Azure AD by navigating to the “Members” tab of the administrative unit, and then adding or removing members as needed.
Yes, you can assign more than one role to a member of an administrative unit in Azure AD, depending on the specific permissions and tasks required.
You can control access to specific groups of users, devices, or applications within your organization using administrative units in Azure AD.
To assign an administrative unit to an Azure AD application, you can navigate to the “Applications” section of the Azure AD portal, select the application you want to assign the administrative unit to, and then select the “Administrative units” option. From there, you can assign the administrative unit to the application.
To delete an administrative unit in Azure AD, you can navigate to the “Administrative units” section of the Azure AD portal, select the administrative unit you want to delete, and then click on the “Delete” button. You will be prompted to confirm the deletion before the administrative unit is deleted.
Yes, you can create a nested administrative unit in Azure AD to further organize and delegate administrative tasks.
You can view the members of an administrative unit in Azure AD by navigating to the “Members” tab of the administrative unit in the Azure AD portal.
Yes, you can assign roles to an entire administrative unit in Azure AD by navigating to the “Roles” tab of the administrative unit and then selecting the roles you want to assign.
To assign an administrative unit to a group in Azure AD, you can navigate to the “Groups” section of the Azure AD portal, select the group you want to assign the administrative unit to, and then select the “Administrative units” option. From there, you can assign the administrative unit to the group.
If this material is helpful, please leave a comment and support us to continue.