In Azure AD, an Administrative Unit is a collection of Users, Groups and Devices.
Coming from the AD on-premises world, they may be thought of as being similar to Organisational Units.
In the Azure AD space, they provide a means to apply granular control in the assignment of Azure AD Roles.
In the scenario below, an AAD tenant exists for the F1 Racing industry. It contains all Drivers, Team Managers and the Executive. Among others, an Administrative Unit has been created for the ‘Red Bull’ Team.
Christian has been granted authentication and group administration roles that are scoped to the ‘Red Bull Management’ Administrative Unit. He may use his assigned roles on members of this Administrative Unit only.
Under this scenario, Christian may amend Max’s authentication information.
He may not amend Louis’ (as he is not in the Red Bull Administrative Unit).
He may amend the security group of Red Bull Drivers.
He may not amend the security group of Mercedes Drivers (as this group is not a member of the Red Bull Administrative Unit).