KubeQuest

Appearance

Administrative Units

AZ-104 Weight: Low - Understand the concept, detailed hands-on less common on exam

What Are Administrative Units?

Administrative Units (AUs) are containers in Entra ID that let you restrict administrative scope to a portion of your organization.

The Problem They Solve

Without AUs:

  • User Administrator can manage ALL users in the tenant
  • Helpdesk Admin can reset passwords for ALL users
  • No way to limit admin scope to specific departments

With AUs:

  • Create AU for "Sales Department"
  • Grant someone User Administrator on JUST that AU
  • They can only manage users within Sales

Visual Concept 

┌─────────────────────────────────────────────────────────────┐
│                     Entra ID Tenant                         │
│                                                             │
│  ┌──────────────────┐  ┌──────────────────┐                │
│  │ AU: Engineering  │  │ AU: Sales        │                │
│  │                  │  │                  │                │
│  │ • User1          │  │ • User4          │                │
│  │ • User2          │  │ • User5          │                │
│  │ • User3          │  │ • User6          │                │
│  │ • Group: DevTeam │  │ • Group: SalesOps│                │
│  │                  │  │                  │                │
│  │ Admin: TechLead  │  │ Admin: SalesMgr  │                │
│  │ (User Admin role)│  │ (User Admin role)│                │
│  └──────────────────┘  └──────────────────┘                │
│                                                             │
│  TechLead can ONLY manage users in Engineering AU          │
│  SalesMgr can ONLY manage users in Sales AU                │
└─────────────────────────────────────────────────────────────┘

Key Characteristics

AspectDetails
What can be in an AUUsers, Groups, Devices
Membership typesAssigned (manual) or Dynamic
Roles that can be scopedUser Admin, Helpdesk Admin, Password Admin, Groups Admin, Authentication Admin, License Admin
License requirementFree for basic, P1 for dynamic membership

Common Use Cases

  1. Regional Administration

    • AU for US, EU, APAC
    • Regional admins manage only their region's users

  2. Departmental Delegation

    • AU for HR, Finance, Engineering, Sales
    • Department leads manage their own people

  3. Subsidiary Management

    • AU per subsidiary company
    • Each subsidiary has its own admins

  4. School/University

    • AU per school or department
    • Faculty admins manage only their students

Portal Walkthrough

Creating an Administrative Unit

  1. Go to Microsoft Entra admin center
  2. Navigate to Identity > Roles & admins > Administrative units
  3. Click + Add
  4. Fill in:
    • Name: AU-Engineering
    • Description: "Engineering department users and groups"
  5. Click Next: Assign roles
  6. Add role assignments:
    • Select role: User Administrator
    • Select member: Choose the delegated admin
  7. Click Next: Review + create > Create

Adding Members to AU

  1. Open the Administrative Unit
  2. Click Members
  3. Click + Add member
  4. Select users/groups to add
  5. Click Add

Dynamic Membership Rules (P1)

Instead of manual assignment, use rules:

(user.department -eq "Engineering")

This automatically adds users where department = Engineering.

What Admins Can Do (Scoped)

When assigned User Administrator on an AU:

Can DoCannot Do
Create users (added to AU)Manage users outside AU
Delete users in AUAssign tenant-wide admin roles
Reset passwords in AUModify AU settings
Update properties in AUAdd/remove members from AU
Assign licenses in AU

CLI Reference

bash
# Create Administrative Unit
az rest --method POST \
    --url "https://graph.microsoft.com/v1.0/directory/administrativeUnits" \
    --body '{"displayName":"AU-Engineering","description":"Engineering team"}'

# List Administrative Units
az rest --method GET \
    --url "https://graph.microsoft.com/v1.0/directory/administrativeUnits"

# Add member to AU
az rest --method POST \
    --url "https://graph.microsoft.com/v1.0/directory/administrativeUnits/{au-id}/members/\$ref" \
    --body '{"@odata.id":"https://graph.microsoft.com/v1.0/users/{user-id}"}'

Exam Tips

  • Know that AUs provide scoped administration within Entra ID
  • AUs are different from Azure Management Groups (which are for Azure resources)
  • Dynamic membership requires P1 license
  • Not all admin roles can be scoped to AUs
  • AUs contain users, groups, devices - not Azure resources

Practice Question

Scenario: Your company has 3 offices: Seattle, London, Mumbai. Each office has a local IT person who should be able to reset passwords for users in their office only.

What should you create?

A) 3 custom RBAC roles
B) 3 Administrative Units with Password Admin assigned
C) 3 Azure Management Groups
D) 3 Conditional Access policies

Answer

B) 3 Administrative Units with Password Admin assigned

Explanation:

  • Create AU-Seattle, AU-London, AU-Mumbai
  • Add users from each office to respective AU
  • Assign Password Administrator role scoped to each AU
  • Local IT gets Password Admin only on their office's AU

AUs are designed exactly for this delegated administration scenario.

Released under the MIT License.

Copyright © 2026 OpsAlchemy