How to work with Administrative Units

More and more organizations are working with Azure Active Directory. Those organizations can have an Azure AD only implementation or and hybrid situation (On-Premises Active Directory where users/groups/devices are synchronized towards Azure AD). The on-premises Active Directory consists of Organizational Units where users and groups are hierarchical stored in the units, you can also assign permissions for IT staff for 1 specific Organizational Unit. For example the IT Helpdesk of Belgium haves access towards the OU’s where Belgian user, groups and devices are stored.

Azure Active Directory is a flat directory with no hierarchical structure. This means that it was not possible to create organizational units and assign permissions towards a specific IT department.

For this reason Microsoft introduced Azure AD Administrative Units. This feature allows us to create units to order the structure of the organization and to assign IT admins the necessary privileges. For example your organization is located in Belgium and Netherlands. In Belgium they have 2 locations Ghent and Brussel, in the Netherlands they also have 2 locations Amsterdam and Rotterdam. Each location haves its own IT departments. With Administrative Units you can create a unit for each office and assign the users of each IT department towards those units.

Configuration of Administrative Units

On the Azure Active Directory page go towards the section Administrative Units and click on “+ Add” to create a new Administrative unit:

Give your administrative unit a name:

On assign roles click on a role. I’ve selected the Helpdesk administrator role for the IT Brussels user:

For the IT Manager I assigned the user administrator role and the Groups administrator role:

Create the administrative unit:

In my example I created a second one for the Ghent office.

The next step is to assign the users of the Brussels and Ghent office towards the corresponding Administrative Unit. Click on the Administrative Unit you’ve created in the previous step and navigate towards the users section:

You can add users 1 by 1 or you can perform a bulk operation, the bulk operation allows you to upload a CSV file with all corresponding users of Brussels. For example you can create a powershell script that extract all the users with a location of Brussels and export it to a CSV. Afterwards you can upload it in Bulk in the Administrative Unit. In my example I only added 2 users:

I’ve also added the users group of Brussels. This means that the admins assigned towards the Administrative Unit can manage this group:

I also added users and groups for my Ghent administrative unit.

End user experience

Now that we’ve created the administrative unit let’s login with the IT Brussels User that haves helpdesk privileges for the Brussels Administrative Unit. Notice that this users can only perform helpdesk task for the users that are in scope of the Administrative Unit of Brussels. There is also a dropdown visible next to your organization name that shows the Administrative Unit you’re currently connected to in this case it’s Brussels :

We also have another user the IT Manager which is a user administrator of people in the Brussels Administrative unit and the Ghent Administrative unit. Notice that next towards the company name a drop down is visible where this users can select Brussels or Ghent:


I love to work with Administrative Units in larger environments where there are multiple office locations and multiple IT departments. Also when working with tenants that consists of multiple sub organisations, administrative units is a good solution. Administrative Units allows you to delegate admin tasks over different departments. For larger organizations a combination of Administrative Units and Privileged Identity Management is the preffered way of working. For smaller organizations I rather prefer to work only with Privileged Identity Management.

Published by jordyblommaert

My passion is the cloud

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: