top of page
Search

🧩 Part 4: Access Control with Administrative Units

  • Writer: Bjørnar Aassveen
    Bjørnar Aassveen
  • Jun 19
  • 2 min read

In smaller organizations, it is often convenient for an IT department to have full control over all users, groups, and resources. However, in larger organizations—with many departments, locations, or subsidiaries—this quickly becomes impractical and risky.


Administrative Units (AUs) in Microsoft Entra ID allow you to divide your directory into logical units and delegate administration to local administrators—without giving them access to the entire environment.


🧱What is an Administrative Unit?


An Administrative Unit is a kind of "container" in Entra ID that can contain:

  • Users

  • Groups

  • Entities


You can then assign roles (e.g. user administrator, group administrator) limited to the relevant AU. This means that a local IT employee can manage users in their department – ​​but not see or change users in other parts of the organization.


Example: Delegated administration in practice

Let's say you have an organization with three departments:

  • Oslo

  • Bergen

  • Trondheim


Then you can create an AU for each department, and assign local administrators who only have rights within their AU. They can:

  • Reset passwords

  • Change user attributes

  • Add/remove users to groups

  • Manage Teams and SharePoint access (indirectly)


But they cannot:

  • See users in other AUs

  • Change global settings

  • Assign roles outside their area


🎛️ What can you delegate?


Examples, not an exhaustive list

Role

What it can do (withing AU)

User Administrator

Manage users (password, attributes, membership)

Group administrator

Create and manage groups

Helpdesk-administrator

Reset password and unlocks accounts

Device administrator

Manage devices

💡 You can combine AUs with PIM (Privileged Identity Management) to provide temporary access.

How to create and use AUs?

  • Create AUs in Entra admin center or via PowerShell

  • Add objects (users, groups, devices)

  • Assign roles to users with scope limited to AU



Benefits of AUs

✅ Increased security – fewer people with global rights

✅ Better overview – local control without central overload

✅ Scalable – suitable for both corporate and educational institutions

✅ Reduced risk of errors – administrators only see what they need


Limitations


  • AUs only apply to Entra ID – not to the whole of Microsoft 365 (e.g. Exchange or SharePoint directly)

  • Not all roles support AU scope

  • Requires Microsoft Entra ID P1 or P2, depending on the role


🚀 Next Steps


In the next post, we’ll look at guest users and external sharing – how you can grant external access in a secure and controlled way, without opening up the entire store.


Bjørnar&AI

Comentários

bottom of page