Administrative units

This page will go over Administrative units at a high level and how they can be utilised by administrators to aid in restricting permissions to a single portion of your organisation.

What is an administrative units?

Administrative units are essentially a container which can contain the following Entra objects; Users, Groups and Devices. They restrict permissions to any portion of your organisation which you define, this can allow administrators the option to delegate roles to cover only portions of the organisation. Users can be a member of multiple administrative units allowing flexibility in their deployment approach.

Example

For example, if you create administrative units by geographical region, you could assign the user administrator role over the users in that region, allowing for each group of IT admins to manage their local users.

Groups

Groups can be added to admin units, however, when you add a group to the unit it brings the group itself into management of the administrative unit but not the members. You'd be able to manage the name of the group and its membership but no other properties.

Restricted management Administrative units

Restricted management admin units allow administrators to restrict the management of certain objects to anyone other than a specific set of people. This can be useful to protect high privileged users or VIP users who you need to protect from all helpdesk administrators.

You can also use these to restrict management of sensitive security groups to only specific administrators.

Management

To manage and modify the objects within a restricted management administrative unit you must be assigned a role that is scoped to the admin unit. To create or delete a restricted management administrative unit you need to have either global administrator or privileged role administrator. However, this does not let you modify the objects within the restricted management administrative unit.

Creating an administrative unit

Administrative units can be created either via the Microsoft Entra admin centre, PowerShell or via Microsoft Graph. In an effort to force myself to improve my PowerShell ability I am going to demo the PowerShell method:

# Connect to Graph and sign in, accepting and consenting to the required permissions
Connect-MgGraph -Scopes "AdministrativeUnit.ReadWrite.All"

# To make a Standard administrative unit
$params = @{
    DisplayName = "UK South Objects"
    Description = "All UK objects to be managed separately"
    Visibility = "HiddenMembership"
}
$adminUnitObj = New-MgDirectoryAdministrativeUnit -BodyParameter $params

# If you want to make a restricted management administrative unit so that tenant scoped administrators can't manage it
$params = @{
    DisplayName = "Executive Users"
    Description = "Executive users administration only"
    Visibility = "HiddenMembership"
    IsMemberManagementRestricted = $true
}
$adminUnitObj = New-MgDirectoryAdministrativeUnit -BodyParameter $params

Adding members to an administrative unit

This will build upon the PowerShell used above to create the admin unit, again - this is probably loads easier to get to grips with in the UI.. but I want to take away that crutch for myself.

# The below command only has to be ran if you are not working in the same session from when you created the admin unit, it should be ran to get the Admin unit object you want to work with. 
$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq '{id of admin unit}'"

Adding Users

# This gets the user object that you with to add
$userObj = Get-MgUser -Filter "UserPrincipalName eq '{user-principal-name}'"
$odataId = "https://graph.microsoft.com/v1.0/users/" + $userObj.id

# Adds the user into the administrative unit
New-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -ODataId $odataId

Adding Groups

# This gets the group ID and odataID 
$groupObj = Get-MgGroup -Filter "DisplayName eq 'group-name'"
$odataId = "https://graph.microsoft.com/v1.0/groups/" + $groupObj.Id

# Adds the group to the admin unit
New-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -OdataId $odataId

Adding Devices

$odataId = "https://graph.microsoft.com/v1.0/devices/{device-id}"
New-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -OdataId $odataId

Assigning roles to Administrative units

This step can be used to assign users roles at the administrative unit scope, this will give the assigned user this role over the items within the administrative unit.

# Connect to graph with the appropriate scopes
Connect-MgGraph -Scopes "Directory.Read.All","RoleManagement.Read.Directory","User.Read.All","RoleManagement.ReadWrite.Directory"

# Specify the user to assign the roles to
$user = Get-MgUser -Filter "userPrincipalName eq 'user@company.com'"

# Finds the role to assign, replace the name of the role with the chosen role
$roleDef = Get-MgRoleManagementDirectoryRoleDefinitation -Filter "displayName eq 'User Administrator'" 

# Finds the scope for the assignment
$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "displayName eq 'Admin unit name'" 
$directoryScope = '/administrativeUnits/' + $adminUnitObj.Id 

# Assigns the role
New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId $directoryScope -PrincipalId $user.Id -RoleDefinitionId $roleDef.Id 

What is an administrative units?​

Example​

Groups​

Restricted management Administrative units​

Management​

Creating an administrative unit​

Adding members to an administrative unit​

Adding Users​

Adding Groups​

Adding Devices​

Assigning roles to Administrative units​