In Azure AD, an Administrative Unit is a collection of Users, Groups and Devices.

Coming from the AD on-premises world, they may be thought of as being similar to Organisational Units.

In the Azure AD space, they provide a means to apply granular control in the assignment of Azure AD Roles.

Scenario

In the scenario below, an AAD tenant exists for the F1 Racing industry. It contains all Drivers, Team Managers and the Executive. Among others, an Administrative Unit has been created for the ‘Red Bull’ Team.

image-center

image-center

image-center

image-center

Christian has been granted authentication and group administration roles that are scoped to the ‘Red Bull Management’ Administrative Unit. He may use his assigned roles on members of this Administrative Unit only.

image-center

Under this scenario, Christian may amend Max’s authentication information.

image-center

He may not amend Louis’ (as he is not in the Red Bull Administrative Unit).

image-center

He may amend the security group of Red Bull Drivers.

image-center

He may not amend the security group of Mercedes Drivers (as this group is not a member of the Red Bull Administrative Unit).

image-center

Categories:

Updated: