L18. Administrative Units and Delegated Administration

What Are Administrative Units?

Administrative units (AUs) are containers in Entra ID that restrict the scope of admin role assignments to a defined subset of users, groups, or devices. Without AUs, admin roles apply tenant-wide. With AUs, you can grant someone the User Administrator role but only for users in a specific department or region. Licensing: Entra ID P1 required for AU management; P2 for dynamic AUs.

Why Use Administrative Units?

In large enterprises, different teams manage different populations of users:

• Regional IT: Manages users in their geographic region
• Department admins: Manages users in their department
• Help desk tiers: Different teams handle different user populations

AUs enable this delegation without granting tenant-wide admin privileges.

Creating Administrative Units

AUs can contain:

• Users
• Groups
• Devices

Membership Types

Dynamic AU membership rules use the same syntax as dynamic groups:

(user.department -eq "Engineering") -and (user.country -eq "US")

Exam tip: Dynamic AUs require Entra ID P2, while assigned AUs only need P1. This licensing distinction is commonly tested.

Scoping Role Assignments

After creating an AU, you assign admin roles scoped to that AU:

1. Navigate to the AU
2. Select Roles and administrators
3. Assign a role (e.g., User Administrator) to a user or group
4. The assignment applies only to objects within that AU

Supported roles for AU scoping:

• Authentication Administrator
• Groups Administrator
• Helpdesk Administrator
• License Administrator
• Password Administrator
• User Administrator

Exam tip: Not all Entra ID roles can be scoped to an AU. Global Administrator and Security Administrator, for example, are always tenant-wide. Know which roles support AU scoping for the exam.

Restricted Management Administrative Units

Restricted management AUs provide enhanced protection for sensitive accounts:

• Only admins explicitly assigned to the restricted AU can manage its members
• Tenant-level admins (including Global Administrators) cannot manage objects in a restricted AU unless they are specifically assigned a role on that AU
• This protects sensitive accounts (like executives) from being modified by broadly-scoped administrators

Exam tip: Restricted management AUs are the only way to prevent even Global Administrators from managing specific users. This is a critical concept for protecting executive accounts or sensitive service accounts.

Design Patterns

Geographic Delegation

Create AUs by region (US, EU, APAC) with dynamic membership based on the country attribute. Assign regional IT staff as User Administrators scoped to their region's AU.

Departmental Delegation

Create AUs by department with dynamic membership based on the department attribute. Assign department managers as Helpdesk Administrators scoped to their department's AU.

Tier-Based Help Desk

Create AUs by support tier. Tier 1 helpdesk can reset passwords for standard users (AU1). Tier 2 can manage users in privileged groups (AU2). Neither tier has tenant-wide access.

Limitations

• AUs do not support nesting (an AU cannot contain another AU)
• AUs do not appear in the Azure portal resource hierarchy
• A user, group, or device can be a member of multiple AUs simultaneously
• AUs are for Entra ID role scoping only: they do not affect Azure RBAC (subscription/resource roles)

Exam tip: Administrative units scope Entra ID directory roles only. They have no effect on Azure resource-level RBAC. If a question asks about scoping Azure subscription permissions, the answer involves management groups or resource group RBAC, not AUs.