Forgotten Features Series, Part 2: The Overlooked Control Layer – Administrative Units

Administrative Units in Microsoft Entra ID are one of those features that often fly under the radar – but they can be game-changing for organizations managing large, complex environments. Think of them as your secret weapon for delegating control, scoping policies, and simplifying administration without compromising security.

In this post, we’ll uncover why Administrative Units deserve a spot in your toolkit, how they help you divide and conquer your tenant, and practical scenarios where they make life easier for IT teams.

Administrative Units are Microsoft Entra ID “containers” that allow you to subdivide your organization into logical segments and delegate administrative control over only those segments. Unlike tenant-wide role assignments, Administrative Units let you scope permissions to specific users, groups, or devices – creating administrative boundaries that mirror your business structure.

Key capabilities:

• Scoped Delegation: Assign roles (User Administrator, Helpdesk Administrator, etc.) that apply only to members of the administrative unit
• Organizational Alignment: Create units based on geography, divisions, or departments
• Multi-Membership: Users can belong to multiple administrative units simultaneously
• Dynamic Membership: Automatically populate units based on user/device attributes using membership rules
• Restricted Management: Optionally prevent even Global Administrators from accessing specific units

More information can be found here:
Administrative units in Microsoft Entra ID – Microsoft Learn

• Licensing
  • Microsoft Entra ID P1 is required for scoped administrator assignments.
  • If you use dynamic membership, all members must also have P1 licenses.
  • For static membership, members can use Entra ID Free.
• Admin Roles
  • Global Administrator
  • Privileged Role Administrator

In this section, we’ll walk through creating an Administrative Unit, adding members, and assigning scoped administrators. Our example scenario: a global organization delegating help desk permissions to regional IT teams – so the EMEA IT team can only manage users in Europe, without affecting accounts in other regions.

First, we’ll create the container that will hold our users, groups, or devices.

1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
2. Navigate to Identity > Roles & admins > Admin units.
3. Click Add (or + New administrative unit).
4. Fill in the required fields:
   • Name: EMEA
   • Description: Contains all users and resources for the EMEA
   • Restricted management administrative unit: Set to No (unless you need to prevent Global Admins from accessing this unit)
5. Click Next or navigate to the Assign roles tab if you want to assign administrators immediately (we’ll do this in Step 3).
6. Click Review + create, then Create.

Now we’ll populate the administrative unit with the users who should be managed by scoped administrators.

1. In the Microsoft Entra admin center, navigate to Identity > Roles & admins > Admin units.
2. Select the EMEA administrative unit you just created.
3. In the left navigation, click Users (or Groups or Devices, depending on what you want to add).
4. Click + Add members.
5. Search for and select the users you want to add to this administrative unit (e.g., all users from Europe employees).
6. Click Add to add the selected users.

his is where the power of Administrative Units becomes apparent – we’ll assign the Helpdesk Administrator role, but scope it only to the Seattle Campus administrative unit.

1. In the Microsoft Entra admin center, navigate to Identity > Roles & admins > Admin units.
2. Select the EMEA administrative unit.
3. In the left navigation, click Roles and administrators.
4. Select the Helpdesk Administrator role from the list.
   Note: You won’t see all Microsoft Entra roles here – only roles that can be scoped to administrative units (roles with permissions for users, groups, or devices).
5. Click + Add assignments.
6. Search for and select the user or group you want to assign as the scoped administrator (e.g., Alex Wilber).
7. Click Add to complete the assignment.

Result: The assigned user/group now has Helpdesk Administrator permissions, but only for users within the EMEA administrative unit. They cannot manage users outside this unit.

For organizations that want to automatically maintain administrative unit membership based on user attributes, you can configure dynamic membership rules.

Steps:

1. Navigate to Identity > Roles & admins > Admin units.
2. Select your administrative unit (or create a new one).
3. In the left navigation, click Properties.
4. Under Membership type, select Dynamic User or Dynamic Device.
5. Click Add dynamic query.
6. Build your membership rule using the rule builder or write a custom rule in text mode.
   Example rule: all users with office location = Amsterdam): (user.officeLocation -eq "Amsterdam")
   Example rule (all users in the Marketing department in Amsterdam):(user.officeLocation -eq "Amsterdam") -and (user.department -eq "Marketing")
7. Click Save to apply the dynamic membership rule.

The administrative unit will now automatically add or remove members based on the rule evaluation. Rule processing can take several minutes to hours depending on tenant size.

While the basic use case of scoped administration is powerful, Administrative Units truly shine when combined with other Microsoft Entra ID features to create sophisticated, self-service workflows. These scenarios demonstrate how AUs enable delegated security management while maintaining centralized governance.

Business Challenge: Your organization blocks sign-ins from all countries except approved locations (e.g., USA, UK, Netherlands) via Conditional Access. However, executives and sales teams frequently travel to unapproved countries for business. Currently, every travel exception requires an IT Security ticket, creating delays and potentially blocking critical business access.

Solution with Administrative Units: Create a self-service workflow where department managers can add travelers to an exclusion group. These users are removed from the strict “allowed countries only” policy and instead fall under a less restrictive “block high-risk countries” policy – maintaining security while enabling business travel.

Architecture:

Administrative Unit: "Finance Department AU"
├── Members: All Finance Department users
├── Scoped Admin: Finance IT Manager (Groups Administrator role)
└── Contains Group: "Finance-Travel-Exclusions"
    ├── Managed by: Finance IT Manager (via AU scope)
    └── Used in: CA Policy exclusions with Terms of Use requirement

Business Challenge: Your organization operates in multiple geographic regions (EMEA, APAC, Americas). Each region needs break-glass emergency access accounts for their regional resources, but tenant-wide Global Administrators are overkill and violate least privilege principles.

Solution with Administrative Units: Create region-specific break-glass accounts managed by regional security leads, with permissions scoped only to their region’s users and resources.

Architecture:

Administrative Unit: "EMEA Region AU"
├── Members: All EMEA users (dynamic rule: user.officeLocation -match "London|Paris|Berlin")
├── Scoped Admins: 
│   ├── EMEA-BreakGlass-01 (User Administrator role - scoped to EMEA AU)
│   └── EMEA-SecurityLead (Authentication Administrator role - scoped to EMEA AU)
└── Protected by: Conditional Access requiring PIM activation + phishing-resistant MFA

Business Challenge: Your organization frequently onboards contractors for 90-day projects. The HR Business Partner needs to manage contractor accounts (reset passwords, assign licenses, update profiles) but should not have access to full-time employees.

Solution with Administrative Units: Create a contractors-only AU with dynamic membership, assign the HR Business Partner as scoped User Administrator, and automatically revoke access when contract ends.

Architecture:

Administrative Unit: "External Contractors AU"
├── Membership Type: Dynamic User
├── Membership Rule: (user.userType -eq "Guest") -or (user.department -eq "Contractors")
├── Scoped Admin: HR Business Partner (User Administrator + License Administrator roles)
└── Automation: Power Automate flow to remove users from AU when employeeEndDate is reached

Administrative Units transform how you delegate administrative control in Microsoft Entra ID. Instead of granting overly broad tenant-wide permissions or forcing every action through centralized IT, you can align permissions with your organizational structure – giving teams the autonomy they need while maintaining security boundaries.

The true power emerges when you combine Administrative Units with Conditional Access, Terms of Use, and automation. The Finance travel workflow demonstrates this perfectly: a department manager grants travel exceptions without IT Security tickets, yet every exception requires Terms of Use acceptance, is automatically scoped to the department, and expires after 14 days. This is zero-trust delegation in action.

Whether you’re managing a global enterprise, a university system, or a multi-division organization, Administrative Units provide the granular delegation capabilities that tenant-wide role assignments cannot deliver. Combined with Conditional Access and automation, they become the foundation for secure, scalable self-service workflows.

---

Next in the Series: Part 3 shines a spotlight on Custom Security Attributes, highlighting an essential yet often overlooked capability that enables more granular and effective management.