What are Microsoft Entra ID administrative units
If you are migrating from Active Directory to Microsoft Entra ID, most of how you manage your users will be similar. However, there are some major differences, and one of them is the lack of organizational units (OUs) to delegate to your admins. While assigning roles to your admins and arranging your users in groups sounds like a good idea on paper, there is a better way. That would be using administrative units (AUs) in Microsoft Entra ID. Continue reading to see how AUs are different from OUs and groups, how you can create and use one, and how ManageEngine M365 Manager Plus—an holistic Microsoft 365 administrative tool—has a better solution to manage your users.
What is an administrative unit?
Administrative Units in Microsoft Entra ID are resources that can hold other Microsoft Entra ID objects, including users, groups, and devices. They can be assigned to administrators with existing roles or to other users in the AU with a role that applies only to this AU.
As with groups and OUs, modifying the properties for the AU will also affect its members accordingly. For example, you can block the AU and all of the users in it will be blocked from signing in to Microsoft 365.
How are administrative units different from Microsoft Entra ID groups?
The definition above might make it seem like AUs are more like groups. However, there are some slight differences which make AUs more useful for delegating control over objects in Microsoft Entra ID.
Microsoft Entra ID uses groups to group together users or devices and grant them access to a specific resource. The group can then be given permission to perform certain actions rather than assigning them individually to all the members. However, permissions cannot be assigned to the group members granularly. The roles applied will apply to the entire Microsoft 365 tenant.
AUs are more about managing the members in it. They allow you to assign a role to a user and limit their actions and control only to the AU.
How are administrative units different from Active Directory OUs?
AUs and OUs are nearly the same type of resource, the former is on a cloud environment, while the latter is used in on-premises environments. Both can be delegated to users by assigning them specific roles. Also, both are intended to limit administrative control only to a group of resources. However, one cannot nest AUs like OUs. You cannot create an AU inside another AU, and an AU cannot inherit the properties of another AU.
How to create administrative units in Microsoft Entra ID
You can create AUs in Microsoft Entra ID by following the steps below:
- Log in to Microsoft Entra ID with an user account that has at least a Privileged Role Administrator role assigned to it.
- Navigate to Identity > Roles & admins > Admin units.
- Click Add.
- Fill in a Name for the AU.
- If you wish to limit the management of the AU only to the admins allotted, and not the tenant administrators, toggle the Restricted management administrative unit option to Yes.
- Click Next.
- Click on any of the roles available, select the members you want to add to the role, and click Add.
- Click Next to review the configuration, and click Create to finish creating your own AU.
- Once that's done, select the AU that you created, and add your desired users, groups, or members to it by clicking Add Members on the top ribbon.
Limitations of Administrative Units in Microsoft Entra ID
While AUs are a great way to delegate selective control of objects to your admins, there are some limitations to using AUs in Microsoft Entra ID.
- Inability to nest: AUs cannot be nested within one another. This forces a flat organization of AUs and that makes managing them harder. If they were nested, changing the properties of the parent AU will automatically change it for its nested AUs.
- Inability to manage members in assigned groups: When a group is added to an AU, the administrators assigned to it will only be able to edit the properties of the group and not the users inside it.
- Inability to assign licenses and non-administrative functions: While the function of AUs is purely administrative delegation, a major part of administering users is assigning them licenses and permissions to access the resources they need. Assigning permissions like site access to AUs should be made as easy as assigning them to groups.
Administer your Microsoft 365 environment effortlessly and effectively with M365 Manager Plus
ManageEngine M365 Manager Plus is a comprehensive administration and security solution for Microsoft 365 used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments. You can delegate granular permissions to technicians without elevating their Microsoft 365 privileges and create custom roles with any combination of reporting, management, and auditing tasks.
You can also create Virtual Tenants in M365 Manager Plus that allow you to limit your technicians to only the users selected for the virtual tenant and prevent them from accessing any user objects to which they are not assigned. We are working on extending the reach of Virtual Tenants to include other objects like groups, teams, and more. Stay tuned to find out.
There are also other benefits to using M365 Manager Plus to manage and monitor your Microsoft 365 environment.
- Gain a thorough understanding of your environment not just in Microsoft Entra ID, but also Exchange Online, SharePoint Online, OneDrive for Business, and other Microsoft 365 services, with detailed reports and intuitive visualizations, all from a single console.
- Filter your reports just once and save them as custom reports that you can access in just a few clicks.
- Export reports generated in M365 Manager Plus in not just CSV, but also in other presentable formats such as HTML, PDF, and XLSX.
- Easily manage users, groups, contacts, mailboxes, teams, and sites in bulk without PowerShell scripting.
- Keep tabs on even the most granular user activities in your Microsoft 365 environment.
- Configure alert profiles in M365 Manager Plus to notify you of specific activities that take place outside of business hours or occur at unusual frequencies.
- Monitor the health and performance of Microsoft 365 features and endpoints around the clock.
Control and customize the administration of your Microsoft 365 environment.
Try now for freeStreamline your Microsoft 365 governance and administration with M365 Manager Plus
Get Your Free Trial