Home

Administrative units support for the Office 365 Admin Center is rolling out

%3CLINGO-SUB%20id%3D%22lingo-sub-154188%22%20slang%3D%22en-US%22%3EAdministrative%20units%20support%20for%20the%20Office%20365%20Admin%20Center%20is%20rolling%20out%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154188%22%20slang%3D%22en-US%22%3E%3CP%3EApparently%2C%20support%20for%20Administrative%20Units%20is%20finally%20rolling%20out%20for%20the%20O365%20Admin%20center.%20In%20case%20you%20haven't%20heard%20about%20them%2C%20AUs%20allow%20you%20to%20logically%20separate%20objects%20within%20your%20Azure%20AD%20(Office%20365)%20directory%2C%20so%20that%20only%20specific%20users%20can%20manage%20them.%20You%20can%20learn%20more%20about%20them%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-administrative-units-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-administrative-units-management%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUp%20until%20now%2C%20the%20feature%20only%20worked%20with%20PowerShell.%20That%20is%2C%20not%20only%20it%20was%20configurable%20only%20via%20PowerShell%20(this%20part%20still%20remains%20true)%2C%20but%20it%20took%20effect%20only%20when%20the%20designated%20admin%20was%20performing%20tasks%20against%20Azure%20AD%20using%20PowerShell.%20Now%2C%20the%20feature%20will%20cover%20the%20tasks%20performed%20in%20the%20O365%20portal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlbeit%20it's%20very%20limited%2C%20the%20feature%20is%20the%20first%20step%20towards%20having%20a%20proper%20RBAC%20controls%20for%20Azure%20AD%2C%20so%20it's%20much%20welcomed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-154188%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-268749%22%20slang%3D%22en-US%22%3ERe%3A%20Administrative%20units%20support%20for%20the%20Office%20365%20Admin%20Center%20is%20rolling%20out%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-268749%22%20slang%3D%22en-US%22%3E%3CDIV%3EI%20noticed%20another%20glitch%20in%20the%20admin%20center%20for%20administrative%20units.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EWhen%20user%20admin%20of%20AU%20multi%20select%20users%2C%20he%20has%20an%20option%20under%20Bulk%20Actions%20Edit%20User%20Roles%20-%26gt%3B%20select%20Global%20admin.%20After%20hitting%20save%20it%20doesn't%20change%20user%20role%20to%20global%20admin%2C%20but%20the%20error%20says%20%22The%20roles%20cannot%20be%20updated%20because%20we%20couldn't%20communicate%20with%20the%20service.%20Select%20Close%20and%20try%20again%20in%20a%20few%20minutes.%22%20instead%20of%20saying%20%22You%20don't%20have%20permissions%22%3CBR%20%2F%3EI%20find%20this%20confusing%20and%20I'd%20like%20to%20remove%20this%20option%20from%20the%20user%20admin%20dashboard%20at%20all%3C%2FDIV%3E%3CDIV%3EMaybe%20someone%20has%20already%20a%20good%20solution%3F%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-261878%22%20slang%3D%22en-US%22%3ERe%3A%20Administrative%20units%20support%20for%20the%20Office%20365%20Admin%20Center%20is%20rolling%20out%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-261878%22%20slang%3D%22en-US%22%3E%3CP%3ENothing%20has%20changed%20in%20this%20regard%20unfortunately.%20Do%20follow%20the%20announcements%20at%20Ignite%20this%20week%2C%20as%20we've%20received%20some%20indications%20that%20Microsoft%20is%20finally%20doing%20something%20better%20in%20the%20RBAC%20space.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-261845%22%20slang%3D%22en-US%22%3ERe%3A%20Administrative%20units%20support%20for%20the%20Office%20365%20Admin%20Center%20is%20rolling%20out%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-261845%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20using%20this%20this%20feature%20but%20it%20is%20far%20from%20being%20perfect.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProblem%20number%201%20-%20is%20that%20AU%20are%20not%20dynamic.%20Does%20anyone%20knows%20the%20way%20to%20make%20it%20dynamic%20by%20certain%20parameter%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProblem%20number%202%20-%20you%20can%20assign%20only%20%3CSPAN%3EUser%20Account%3C%2FSPAN%3E%20admin%20role%20or%26nbsp%3BHelpdesk%20admin%20for%20AU.%20None%20of%20this%20roles%20doesn't%20give%20a%20privilege%20to%20manage%20distribution%20lists%20with%20external%20users.%20And%20this%20is%20a%20huge%20pain%20for%20big%20organizations%20with%20departments%20in%20all%20over%20the%20world.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-250921%22%20slang%3D%22en-US%22%3ERe%3A%20Administrative%20units%20support%20for%20the%20Office%20365%20Admin%20Center%20is%20rolling%20out%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-250921%22%20slang%3D%22en-US%22%3E%3CP%3ESeems%20still%20in%20Preview.%20Do%20you%20have%20more%20news%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-154339%22%20slang%3D%22en-US%22%3ERe%3A%20Administrative%20units%20support%20for%20the%20Office%20365%20Admin%20Center%20is%20rolling%20out%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154339%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3BLooks%20like%20it%20needs%20AAD%20Premium%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-154218%22%20slang%3D%22en-US%22%3ERe%3A%20Administrative%20units%20support%20for%20the%20Office%20365%20Admin%20Center%20is%20rolling%20out%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154218%22%20slang%3D%22en-US%22%3EAwesome%20stuff%20Vasil!!%3C%2FLINGO-BODY%3E
Vasil Michev
MVP

Apparently, support for Administrative Units is finally rolling out for the O365 Admin center. In case you haven't heard about them, AUs allow you to logically separate objects within your Azure AD (Office 365) directory, so that only specific users can manage them. You can learn more about them here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-administrative-units-manage...

 

Up until now, the feature only worked with PowerShell. That is, not only it was configurable only via PowerShell (this part still remains true), but it took effect only when the designated admin was performing tasks against Azure AD using PowerShell. Now, the feature will cover the tasks performed in the O365 portal.

 

Albeit it's very limited, the feature is the first step towards having a proper RBAC controls for Azure AD, so it's much welcomed.

6 Replies

 Looks like it needs AAD Premium though.

Seems still in Preview. Do you have more news ?

I'm using this this feature but it is far from being perfect.

 

Problem number 1 - is that AU are not dynamic. Does anyone knows the way to make it dynamic by certain parameter? 

 

Problem number 2 - you can assign only User Account admin role or Helpdesk admin for AU. None of this roles doesn't give a privilege to manage distribution lists with external users. And this is a huge pain for big organizations with departments in all over the world.

 

Nothing has changed in this regard unfortunately. Do follow the announcements at Ignite this week, as we've received some indications that Microsoft is finally doing something better in the RBAC space.

I noticed another glitch in the admin center for administrative units.
 
When user admin of AU multi select users, he has an option under Bulk Actions Edit User Roles -> select Global admin. After hitting save it doesn't change user role to global admin, but the error says "The roles cannot be updated because we couldn't communicate with the service. Select Close and try again in a few minutes." instead of saying "You don't have permissions"
I find this confusing and I'd like to remove this option from the user admin dashboard at all
Maybe someone has already a good solution?

 

Thank you