Management Made Simple with Administrative Units - Microsoft Entra ID

Iron Contributor

Apr 10, 2025

Microsoft Entra ID, formerly known as Azure Active Directory, is a part of Microsoft Entra that manages both internal and external resources for your organization. These resources can reside in your Azure subscription or within your Microsoft 365 Tenant. Consequently, Entra ID assists IT administrators in managing who requires access to these resources. Organizations have the option to choose from three plans: Free, Microsoft Entra ID Plan 1, and Microsoft Entra ID Plan 2. Microsoft Entra ID is accessible through the Azure portal and the Microsoft Entra Admin Center, respectively. Additionally, within the Microsoft Entra Admin Center under Identity, you can manage devices, create lifecycle workflows, handle app resignations, and much more. In this lesson, we will learn about Administrative Units and how they can be utilized to manage your administrative staff within your organization. For license information please see a brief description on the different plans. However, you can learn more about the features here: Microsoft Entra Plans and Pricing | Microsoft Security.

License Information:

Microsoft Entra ID Free:
- Provides user and group management.
- Offers on-premises directory synchronization.
- Includes basic reports.
- Allows self-service password change for cloud users.
- Supports single sign-on across Azure, Microsoft 365, and many popular SaaS apps.
Microsoft Entra ID Plan 1:
- Includes all features of the Free plan.
- Allows hybrid users to access both on-premises and cloud resources.
- Supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities for self-service password reset for on-premises users.
Microsoft Entra ID Plan 2:

Includes all features of the Free and Plan 1.
Offers Microsoft Entra ID Protection for risk-based Conditional Access to apps and critical company data.
Provides Privileged Identity Management to discover, restrict, and monitor administrators and their access to resources, and to provide just-in-time access when needed.

Microsoft Entra Role Based Access Control (RBAC)

Microsoft Entra ID allows for access control to be limited for Administrators if you do not need them to have tenant level administrative access. Restricting access to only what is necessary is crucial to abide the least privilege principle. This principle ensures that administrators have only the permissions necessary to perform their tasks, minimizing the risk of unauthorized access. For example, if you have external collaborations from a consultant who performs helpdesk tasks for only certain permissions to perform their duties. If needed, you can also build custom roles. However, most built-in roles can cover most use cases. Auditing administrative units involves monitoring and reviewing the activities within these units to ensure compliance with organizational policies and security standards.

External Partner Delegation

You can also delegate external partner to provision and deploy services on your behalf. Organizational Global and Billing Administrators can agree to external partnership agreements for Microsoft Partners. Microsoft Solution Partners (MSP) can provide a wide variety of services. You will have to sign partner agreement authorizing the partner to provide services on your behalf. Depending on the partner will on the scope of work. You can find a Microsoft Certified Solutions Partner here: Find the right app | Microsoft AppSource. Partners will send an email that will establishes a connection to your accounts. You can find this agreement in Microsoft Entra Admin Center & Microsoft Entra Admin Center. To see your partnership relationship follow the instructions below:

Microsoft 365 Admin Center - Partnership Relationship

Navigate to Microsoft 365 Admin Center: https://admin.microsoft.com/.
Login with your Administrative Username and Password.
Authenticate with the Microsoft Authentication App when prompted.
In the left-hand menu locate and click on the Show all tab.
Select the Settings tab, then click on Partnership relationships.

Microsoft Entra Admin Center - Delegated Admin Partners

Navigate to Microsoft Entra Admin Center: https://entra.microsoft.com/.
Login with your Administrative Username and Password.
Authenticate with the Microsoft Authentication App when prompted.
In the home directory, in the left-hand menu click on the Identity tab.
Next, select Roles & Admins, then click on Delegated admin partners.

In both areas, you will be able to view the active relationship with your partner, including the specific type of partnership they have with your organization. It is advisable to consult your partner for detailed information regarding your partnership agreement before making any decisions to cancel or delete the partnership. Additionally, it is common practice to create an administrative unit for managing external partners, guests, and similar entities. This ensures that all external relationships are organized and managed efficiently.

What is Administrative Units?

Microsoft Entra ID Administrative Units are specialized containers within the Microsoft Entra ID environment designed to help you efficiently organize and manage users, groups, and devices. These units enable you to delegate administrative tasks to specific segments of your organization, ensuring that permissions are confined to a well-defined scope. This functionality is particularly beneficial for IT professionals, as it provides numerous use cases for delegating tasks, thereby enhancing operational efficiency and security.

Administrative Units Use Cases

To learn how implementation works within Microsoft Entra. An understanding of common scenarios for using administrative units below:

Delegating Administrative Tasks: Administrative units allow you to delegate administrative tasks to specific segments of your organization. For example, you can delegate the Helpdesk Administrator role to regional support specialists, enabling them to manage users only in the region they support.
Restricting Permissions: Administrative units help in restricting permissions to a defined scope. This is particularly useful in large organizations where different departments or regions need to manage their own resources without affecting others.
Managing Users, Groups, and Devices: Administrative units can contain users, groups, or devices, making it easier to manage these resources within a specific scope. For instance, you can create an administrative unit for a particular department and manage all users, groups, and devices within that department.
Implementing Least Privilege Access: By using administrative units, you can implement least privilege access, ensuring that administrators have only the permissions necessary to perform their tasks. This enhances security by minimizing the risk of unauthorized access.
Organizing by Geography or Division: Administrative units can be used to organize resources by geography or division. For example, you might add users to administrative units based on their location (e.g., "Seattle") or department (e.g., "Marketing"), allowing for more granular management.
Managing Properties of Groups: Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit. This allows administrators to manage properties of the group, such as group name or membership, without affecting the individual members of the group.
Setting Policies at a Granular Level: Administrative units enable central administrators to set policies at a granular level. For example, in a large university with multiple autonomous schools, each school can have its own administrative unit with specific policies tailored to its needs.

Conclusion

In conclusion, Microsoft Entra ID Administrative Units offer a robust framework for managing user access and permissions within your organization. By leveraging these units, you can enhance security, improve efficiency, and maintain flexibility in your administrative tasks. Additionally, you have also learned how Administrative Units can be leveraged to manage external partners. Explore the possibilities and unlock the full potential of Microsoft Entra ID today!