Entra Admin Units are a hidden gem!

As you probably already know, Entra ID is packed with a lot of different features and more features are constantly being added or expanded upon. Naturally some of these features leave a larger impact than others, and I admit that I don’t always realize the value of the feature at first glance.

A good example of such a feature is Entra Administrative Unit (AU), which may be easy to confuse with organizational units (OU) which we have in our on-premises Active Directory (they are not the same). But as time went on I gradually came to appreciate just how valuable the AU feature really is. In particular Entra Restricted Management Administrative Unit (RAU).

So what is an AU?

An AU is a logical container in Entra where you can assign users, groups, or devices. It allows you to delegate permissions to specific users (delegated admins), who then gain additional rights over the objects within that AU. These delegated permissions apply only to the objects inside the AU.

This gives us two levels for setting permissions:

• Directory level – applies to the entire tenant.
• AU level – scoped to specific objects within the AU.

Unlike OUs in on-premises Active Directory, AUs cannot be nested, so you can’t build hierarchical or tree-like structures. However, users, groups, and devices can belong to multiple AUs simultaneously, enabling more flexible and advanced delegation scenarios.

Keep in mind: permission delegation is scoped only to the objects in the AU. For example, if you add a group to an AU, you can delegate permissions to that group but those permissions do not cascade to its members or sub-groups. If you want to manage individual users within a group, you must add those users directly to the AU.

Above: A traditional Global Admin has access to the entire tenant, while delegated admins for HR and Sales only get permissions within their respective AUs

Setting up an AU

Setting up an AU requires Entra P1 license and a user with Global Administrator or Privileged Role Administrator role. (This also means that accounts with one of these roles can bypass AU security by changing or deleting them.) In Entra admin portal, you will find Administrative Unit under “Roles and Admin“, select “Admin units” and there you can click “Add” to create a new one.

Give it a name and a description and make sure “Restricted management Administrative Unit” is set to “No“. Then Select “Next: Assign roles“

On the next screen select which roles you want to delegate to the resource within this AU, and click the corresponding number to add accounts. Here I will delegate “Helpdesk Administrator” to a user by clicking the corresponding number, select the user I want to delegate permissions to and then click “Add” and then finishing the wizard.

Now the user “Adele (admin)” has the “Helpdesk Administrator” role over a specific AU. We can verify this by opening the user in Entra and look at her role assignments. Notice that “Helpdesk Administrator” is scoped to the name of the AU and not the Directory which means the entire tenant.

The delegation is now in place, but we still haven’t configured which users she should be Helpdesk Administrator for. So I open the newly created AU, and now I need to add the users which Adele (Admin) will manage.

Navigate back to the AU (“Roles and admins” –> “Admin units” –> Click on the name of the AU)

Here on the left side we can add the resources which should be managed, in this case we will manage users since “Helpdesk Administrator” is a user-focused role.

Remember: Adding a group with users, will delegate permission to the group itself, not the users who are members of said group.

Now just click on “Add member” at the top and select the accounts to be managed.

When signed in as “Adele (Admin)”, we can see the difference between Lidia, who is not included in the AU, and Alex, who is.

One key point here is that by using AUs you can limit the privileged access, like “User Administrator” for example, to only affect a specific set of users. This is Just-Enough-Access in practice which is a key part of the Zero Trust framework. 👍

Restricted AU is the real game changer!

Now that you have a proper understanding of what an AU is, it is time to look at Entra Restricted Management Administrative Unit (RAU). This is in my opinion the real star of the show here. An RAU is exactly the same as an AU, with one critical difference:

An RAU blocks all other privileged access to the users/groups/clients in the AU. Only the delegated admins have privileged access to the objects with in AU.

Note that accounts with “Privileged Role administrator” or “Global Administrator” role can change or delete all RAUs and can therefore grant themselves access.

Using Restricted Administrative Units (RAUs) adds a new layer of security. They allow you to explicitly delegate privileged access to specific departments or teams, while also protecting sensitive accounts from users with directory-wide roles. For example, placing a user inside an RAU effectively blocks roles like User Administrators from having privileged access to that user. The only way to manage or access that account with elevated permissions is by being explicitly delegated access within the RAU, which only users with the “Privileged Role Administrator” or “Global Administrator” role can assign.

As I mentioned in the start of this post, this is a feature I didn’t care much about at first, but over time I’ve learned how incredibly valuable this feature is. I strongly recommend that you take a look at how this may improve the security posture of your tenant.

To create an RAU you simply follow the same procedure as above, but set “Restricted management administrative unit” option to “Yes“. This setting can not be changed after the AU is created!

Conclusion

We’ve covered what Administrative Units (AUs) are, how to configure them, and how Restricted Administrative Units (RAUs) offer an added layer of security. But like many features in Entra, AUs become even more powerful when combined with others.

Stay tuned on Agder in the Cloud (you can subscribe for free on the front page) because in my next post, I’ll show how RAUs integrate with another Entra feature to create an even stronger security model. 😍