Azure AD Administrative Units for User Management

Recently I was asked about using a single Microsoft 365 Tenant in a multi-tenancy way. Many schools in the UK are part of what is called a Multi-Academy Trust (MAT). Conceptually, a school acts as the parent, and then multiple schools are part of that trust. This allows the trusts to share resources across all the schools and provide better services. As part of the work I have been doing with schools during the pandemic to share the single Azure Active Directory, using multiple domains (one for each school). Only allowing administration by admins within each school comes up again. To answer this, we first need to understand core capabilities within the Azure Active Directory. The first of these is Administrative Units.

Administrative Units (AU): An administrative unit is an Azure Active Directory (AAD) resource that can be a container for other Azure Active Directory (AAD) resources. An administrative unit can contain only users and groups. Administrative units restrict permissions in a role to any portion of your organization that you define. For example, you could use administrative units to delegate the Help-desk Administrator role to regional support specialists, so they can manage users only in the region that they support.

The question that is then asked, is if Administrative Units (AU) could allow segmentation of users and groups, what about the Global Administrator roles? Surely, they can administer anything anyway. Right now, as a Global Administrator or a Privileged Role Administrator, you can use the Azure AD portal to:

Create administrative units
Add users and groups, members of administrative units,
Assign IT, staff to administrative unit-scoped administrator roles.

Administrative unit-scoped admins can use the Microsoft 365 admin center to manage users’ basic management in their administrative units. A group administrator with administrative unit scope can manage groups using PowerShell, Microsoft Graph, and the Microsoft 365 admin centers.

So, again, administrative units look like they can work for the Multi Academy Trust. Let’s look at how this works in the real world. I am using a demo tenant and will pretend I am hosting three different schools, each with users, security groups, and administrators. First, create this, first load Azure Active Directory (AAD) Administrative Portal, and log in as a Global Administrator.

Click into Administrative Units

Click +Add
Set the Name to Parent School
Set the Description to Parent School
Click Review + create (we are not assigning roles yet)
Click Create
Repeat this twice and create Child School One and Child School Two

Once done, you then have three Administrative Units (AU)

Click on the Parent School Administrative Unit, then click Add member, select existing users to add to the administrative unit, then click Select.

Repeat this for Child School One and Child School Two; however, use other accounts, and ensure that you add a user and an admin account. You will then end up with the three Administrative Units, containing several user accounts each. Now click back into the Parent School, this time click Roles and administrators.

This time, click the User Administrator role and then click + Add assignments, adding only the administrator account you want to use for that specific Administrative Unit (AU). Repeat this for Child School One and Child School Two.

What we should now have is the following:

Parent School (Administrative Unit)
- Parent User (User)
- Parent Admin (User) – Assigned to User Administrator Role
Child School One (Administrative Unit)
- Child School One User (User)
- Child School One Admin (User) – Assigned to User Administrator Role
Child School Two (Administrative Unit)
- Child School Two User (User)
- Child School Two Admin (User) – Assigned to User Administrator Role

To test this, we can now login to the tenant as the Parent School Admin and click Users. You will see all user accounts (I would love that not to be the case); however, if you pick an account that is not in your assigned Administrative Unit, you cannot edit the account.

If you select an account within your accounts assigned Administrative Unit, you can edit the properties, reset passwords, etc. You have the full permissions based on the assigned role.