Table of Contents
An administrative unit (AU) is a container that helps organizations scope administrative permissions to a subset of users. This is useful for large organizations with multiple departments, offices, or different geographical locations, as it allows them to delegate administration tasks while maintaining control over what administrators can do within their scope.
To create an administrative unit, an Azure AD Premium P1 or P2 license is required. Here are the steps to create an AU:
Once an administrative unit has been created, the next step is adding members and assigning roles:
Administrative roles can be scoped to an AU, such that an administrator will only manage a subset of users and resources.
Azure Active Directory offers a variety of roles that can be scoped to administrative units. Here is a comparison:
Role | Description | Scope |
---|---|---|
User Administrator | Manages identity features like users and groups | Can be scoped to AU |
Helpdesk Administrator | Manages user passwords and support tickets | Can be scoped to AU |
Groups Administrator | Manages group properties and memberships | Can be scoped to AU |
Application Administrator | Manages application registrations and attributes | Can be scoped to AU |
Azure PowerShell can also be used to manage administrative units. Administrators can automate the creation, editing, and deletion of AUs along with managing members and roles.
Example commands:
Using administrative units offers several advantages:
Understanding and managing administrative units is an essential skill for Azure security and a competency area in the AZ-500 Microsoft Azure Security Technologies exam. By effectively managing administrative units, organizations can ensure that administration is delegated securely, aligning with the principles of least-privilege access and role-based administration. AUs help maintain order and clarity in large organizations, enabling granular control over resources and user management in Azure Active Directory.
Answer: False
Explanation: Administrative units can be managed using the Azure Portal, but they can also be managed via PowerShell and Azure AD Graph API.
Answer: Administrative Unit Administrator
Explanation: An Administrative Unit Administrator role is specifically designated for managing members within an administrative unit.
Answer: False
Explanation: Administrative units are scoped to a single Azure AD organization and cannot contain users from multiple organizations.
Answer: All of the above
Explanation: Administrative units can be used to manage users, groups, and roles within the defined scope of the administrative unit.
Answer: True
Explanation: Administrative units allow for a more granular delegation of administrative tasks to users without needing to grant them full administrative rights.
Answer: By assigning roles to other members within the administrative unit
Explanation: Members of an administrative unit can manage access to resources by assigning roles to other members within the scope of the administrative unit.
Answer: Yes, if they have the Administrative Unit Administrator role
Explanation: A user with the Administrative Unit Administrator role can add members to that administrative unit.
Answer: True
Explanation: Users can be members of multiple administrative units simultaneously, allowing for flexible administrative control.
Answer: New-AzureADAdministrativeUnit
Explanation: The cmdlet New-AzureADAdministrativeUnit is used to create a new administrative unit in Azure AD.
Answer: True
Explanation: As of the knowledge cutoff date, administrative units primarily focus on the management of user and group objects, but do not extend to the management of device objects within Azure AD.
Answer: There is no limit
Explanation: As of the knowledge cutoff date, there is no specified limit to the number of administrative units that can be created in a single Azure AD organization.
Answer: False
Explanation: Administrative units do not support nesting. An administrative unit cannot contain another administrative unit within its structure.
Administrative units in Azure AD are a way to organize resources and manage access to those resources. With administrative units, you can delegate administrative control to specific groups of users, allowing them to manage only the resources that are relevant to their roles in the organization.
You can associate various types of resources with an administrative unit in Azure AD, including users, groups, applications, and devices.
To create an administrative unit in Azure AD, you need to log in to the Azure portal, select Azure Active Directory, and then select “Administrative units.” From there, you can create a new administrative unit, provide a name, select the resource type you want to associate with it, and assign users or groups to the administrative unit.
Assigning permissions to an administrative unit in Azure AD allows you to give users or groups access to resources. By assigning permissions, you can control what users can and cannot do within the administrative unit.
To add or remove members from an administrative unit in Azure AD, you need to go to the unit’s settings in the Azure portal and select “Members.” From there, you can add or remove members as needed.
A nested administrative unit in Azure AD is an administrative unit that is created within another administrative unit. This allows you to create a hierarchical structure that mirrors the organization’s structure.
To move resources from one administrative unit to another in Azure AD, you need to go to the resource’s settings in the Azure portal and select “Administrative unit.” From there, you can select the new administrative unit to which you want to move the resource.
Common use cases for using administrative units in Azure AD include delegating administrative control to specific groups of users, simplifying access management, and ensuring compliance with security and privacy regulations.
To assign administrative permissions to an administrative unit in Azure AD, you need to go to the unit’s settings in the Azure portal and select “Administrative permissions.” From there, you can assign permissions to users or groups as needed.
You can monitor administrative activity in Azure AD using the audit logs, which provide information about changes made to administrative units and other resources. The audit logs can be accessed from the Azure portal.
If this material is helpful, please leave a comment and support us to continue.