Microsoft 365 Tenant Administration and Delegation for Complex Environments

Microsoft recently shipped a new way to slice up your Microsoft tenant in Azure AD. These new Microsoft 365 Administrative Units may help support teams and IT teams including Business Unit IT administration the world over. It’s a start. There are limits.

Do you struggle with how to slice up administration of your Microsoft 365 tenant? I know there are many who wish they could segment their services, and that is not this feature. Licensing administration and user support and even MFA support may find a huge boost with this new feature set. Have you ever wished there was an easy way to segment your tenant so you could delegate permissions more granularly to group of operators or admins?  Now there is… Administrative Units also known as AUs are now in Preview.

Download this infographic above “Slice up your Microsoft 365 Tenant Administration with Administrative Units” as an image or as a PDF

*Now in Preview* Microsoft has introduced Administrative Units in Azure AD for creating delegated boundaries within a single tenant for user and group administration. It’s also accessible via PowerShell and Microsoft Graph.

Administrative Units

Download the “Understanding Microsoft 365 Administrative Units” infographic as jpg, png, or pdf. This image sponsored by CoreView is shared in creative commons share alike. Feel free to use it in your company, share it in your slides, or use it as a reference.


Administrative Units Roles and Rights

  • Authentication Administrator – Has access to view, set, and reset authentication method information for any non-admin user for the assigned Administrative Unit.
  • Groups Administrator – Can manage all aspects of groups and groups settings like naming and expiration policies in the assigned Administrative Unit.
  • Helpdesk Administrator – Can reset passwords for non-administrators and Helpdesk administrators in the Administrative Unit.
  • License Administrator – Can assign, remove, and update license assignments within the Administrative Unit only.
  • Password Administrator – Can reset passwords for non-administrators and Password Administrators within the Administrative Unit.
  • User Administrator – Can manage all aspects of users and groups, including resetting passwords for limited admins within the assigned Administrative Unit.

Microsoft 365 Admin Units Challenges

Administrative Units (AUs) require an Azure Active Directory Premium license for each AU admin not required for AU members
Requires Global Administrators rights or Privileged role administrators to create and manage in Azure AD portal or with Graph/PowerShell
AU delegated admins must use M365 Admin Center for managing Users
Currently No management of AUs in Admin Center
No Dynamic Administrative Units… (Yet!)
Odd Elevation of Privileged Path Scenarios AU-scoped administrator can’t reset the password of a user who’s assigned to a role with an organization-wide scope
Devices cannot be made members of AUs. Scoping management of devices in Azure AD

Register now to learn:

  • Techniques to slice up a Microsoft 365 Tenant
  • How best to manage blocks of licensing for departments
  • Various ways to segment your Microsoft 365 tenant to support a delegated admin model
  • Techniques for SharePoint, Teams and Exchange regional or departmental delegation
  • Strategies for Automation for Administrators

Live Webinar with Q&A:

February 3 at 11:00AM Eastern & 8:00AM Pacific

>> Register Now


February 3 at 2:00 PM Eastern & 11:00AM Pacific

>> Register Now

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: