Often, organizations require a more controlled and granular approach to manage specific users or groups rather than having centralized control. This is where Administrative Units (AUs) come into play in managing Microsoft 365 Identity and Services. AUs in Microsoft 365 give a decentralized way to administer subsets of users. They enable an organization to delegate and limit admin powers to a select group of users or administrators over a specific department, location, or a cohort.
Creating Administrative Units
Creating an Administrative Unit starts by defining its membership. For instance, you may decide to create an AU based on geographical locations of your organizations or different departments as per your business units. Follow the steps below as per Microsoft documentation to create an AU:
- In the Microsoft 365 admin center, go to Groups > Active groups.
- Click Add a group, and then on the Group type page, click Administrative Units.
- On the Basics page, type a name and description for your administrative unit.
- On the Members page, choose the users that you want to add to this administrative unit, and then click Next.
- Review your settings, and then click Create group.
After creating the unit, you can assign roles to specific Admins, limiting their administrative powers to the AU.
Role Assignment in Administrative Units
Role assignment is one of the crucial components of managing AUs. Assigning an admin role to a user provides them certain permissions they need to manage that unit. Key recommended roles within the Microsoft 365 Identity and Services include:
- User Administrators: Can manage all aspects of users and groups.
- Exchange Administrators: Can manage Exchange properties in user mailboxes.
- Teams Service Administrators: Can manage Teams settings in user accounts.
- Password Administrator: Can reset passwords.
- Helpdesk Administrator: Can perform common troubleshooting tasks.
The following PowerShell command line is a standard method for assigning Admin roles to a user in an AU:
Add-AzureADScDirectoryRoleMember -ObjectId
To assign a user admin role to an AU, replace the DirectoryRoleID with the Object ID of the User admin role and replace AdminUserId with the Object ID of the user being granted the role.
Administrative Units Limitations
While AUs provide a granular control level, it’s essential to understand their limitations. As per the current Microsoft documentation, AUs have the following limitations:
- AUs only provide control access to a subset of all possible Microsoft Online Services. This includes Exchange Online, Teams, and SharePoint.
- AUs do not influence who can access what data; they only control who can perform admin tasks.
- Licences cannot be mapped to AUs; they can only be mapped to users.
- Dynamic group membership rules based on AUs are currently not supported.
Managing AUs is an essential aspect of administrating the Microsoft 365 environment, particularly for larger organizations with distributed teams or organizations. By mastering this subject, you’re a step closer to passing the MS-100 Microsoft 365 Identity and Services examination and demonstrating your ability to manage identity in the Microsoft 365 environment.
Practice Test
True/False: With Microsoft 365, you can create multiple administrative units.
- True
- False
Answer: True.
Explanation: Microsoft 365 does support the creation and management of multiple administrative units.
Single Select: Which one of these is not a type of Microsoft 365 admin role?
- a) SharePoint admin
- b) Exchange admin
- c) TeamViewer admin
- d) Teams admin
Answer: c) TeamViewer admin.
Explanation: TeamViewer is not a Microsoft product, so there is no TeamViewer admin role in Microsoft
Multiple Select: The member of administrative units can be:
- a) Users
- b) Groups
- c) Roles
- d) Solutions
Answer: a) Users and b) Groups.
Explanation: An administrative unit can include both users and groups. Roles and Solutions are not included in the members of the administrative unit.
True/False: Microsoft 365 allows you to apply different roles to different administrative units.
- True
- False
Answer: True.
Explanation: You can assign roles to an administrative unit, thus applying different roles to different units.
Single Select: What does the Compliance admin role manage in Microsoft 365?
- a) Users
- b) Security Policies
- c) Compliance Systems
- d) Teams
Answer: c) Compliance Systems.
Explanation: The compliance admin role focuses on managing compliance systems such as data loss prevention and audits.
True/False: An admin can belong to more than one administrative unit in Microsoft
- True
- False
Answer: True.
Explanation: Admins can be assigned to multiple administrative units.
Multiple Select: Which of these roles can manage administrative units in Microsoft 365?
- a) Device Administrators
- b) Global Administrators
- c) User Administrators
- d) Compliance Administrators
Answer: b) Global Administrators and c) User Administrators.
Explanation: Both the Global administrators and User administrators in Microsoft 365 can manage the administrative units.
Single Select: With Microsoft 365, what’s the maximum number of administrative units you can create?
- a) 500
- b) 1000
- c) 5000
- d) There is no limit
Answer: d) There is no limit.
Explanation: Microsoft 365 allows you to create as many administrative units as required.
True/False: Only one role can be assigned to an administrative unit in Microsoft
- True
- False
Answer: False.
Explanation: More than one role can be assigned to an administrative unit in Microsoft
Multiple Select: What does the Global admin role manage in Microsoft 365?
- a) Teams
- b) All administrative units
- c) Compliance Systems
- d) Security Policies
Answer: a) Teams, b) All administrative units, c) Compliance Systems and d) Security Policies.
Explanation: The Global admin role in Microsoft 365 has highest level of permissions and can manage all aspects including Teams, all administrative units, compliance systems and security policies.
Interview Questions
What is the primary role of administrative units in Microsoft 365?
Administrative units in Microsoft 365 are specialized containers for users, groups, and other units that allow granular delegation of administrative permissions. They enable better control and management of these entities by specific administrators without giving full control of a whole directory.
How can you assign a role to an administrative unit through PowerShell?
You can assign a role to an administrative unit by using the Add-AzureADScopedRoleMembership cmdlet in PowerShell.
How many administrative units can be created in a single Azure AD directory?
Currently, there is a limit of 500 administrative units that can be created in a single Azure AD directory.
Can roles be scoped to an administrative unit in Microsoft 365?
Yes, specific roles like Helpdesk Administrator or User Administrator can be scoped to an administrative unit in Microsoft 365.
What PowerShell cmdlet is used to create a new administrative unit in Microsoft 365?
The New-AzureADMSAdministrativeUnit cmdlet is used to create a new administrative unit in Microsoft 365.
Can you add a group to an administrative unit in Microsoft 365?
Yes, you can add a group to an administrative unit, but currently, this can only be done through PowerShell using Add-AzureADMSAdministrativeUnitMember.
Does the Helpdesk Administrator role in administrative units have the ability to reset passwords?
Yes, the Helpdesk Administrator role in administrative units has the ability to reset passwords, manage service requests and monitor service health.
Can you remove a user from an administrative unit in Microsoft 365?
Yes, you can remove a user from an administrative unit using the Remove-AzureADMSAdministrativeUnitMember cmdlet in PowerShell.
Can you assign global roles to an administrative unit in Microsoft 365?
No, you cannot assign global roles to administrative units. Only specific roles can be scoped to an administrative unit.
What is the purpose of scoping a role to an administrative unit?
Scoping a role to an administrative unit allows you to delegate control for users, groups, and other resources within that specific unit to another user or a group, without giving full control of the whole directory.
Can nested organizational structures be created within an administrative unit in Microsoft 365?
Currently, nesting of administrative units is not supported in Microsoft 365.
What is the purpose of the Get-AzureADMSAdministrativeUnit PowerShell cmdlet?
The Get-AzureADMSAdministrativeUnit cmdlet is used to retrieve details of an administrative unit in Microsoft 365, such as the members of the unit or properties of the unit.
Can the scope of Helpdesk Administrator or User Administrator roles be modified for an administrative unit in Microsoft 365?
Yes, the scope of Helpdesk Administrator or User Administrator roles can be modified for an administrative unit in the Microsoft 365 admin center or through PowerShell.
Can service administrators manage administrative units in Microsoft 365?
Service administrators can manage service settings for users and groups within their assigned administrative units, but they cannot manage the administrative units themselves.
What’s the purpose of Azure AD Connect in managing administrative units?
Azure AD Connect is used to sync on-premise Active Directory identities to Azure Active Directory. Azure AD Connect’s role in managing administrative units is to ensure that the administrative structure in the on-premise Active Directory is mirrored in Azure AD, including the administrative unit and its members.