Why use Azure AD Administrative Units?
If like me you’ve been studying for AZ-104 or learning about the features of Azure Active Directory, you’ve probably stumbled across Administrative Units. Which at first glance, can be a little confusing. Hopefully I can clear up some of my misunderstandings in this blog.
What is an Administrative Unit?
They are defined simply by Microsoft as “An Azure AD resource that can be a container for other Azure AD resources”. They can only be provisioned by a Global Administrator or Privileged Role Administrator. You can’t nest one Administrative Unit within another, and to add a role at the Administrative Unit level the Administrative Unit Administrators need the Azure AD Premium P1 license, the users added within a unit (members) only need the Azure AD free license.
Why are they needed?
The principle of least privilege is easy to break using a regular Azure AD architecture, as it’s an inherently flat hierarchy. Essentially, it’s easy to end up with a certain user having a larger access scope than intended.
At first glance this looks okay, you have two groups with relevant administrators, and a global admin for the tenant, with a few other users. However, the Sports and Study admins have global scope, meaning they both have administrative rights over all users and groups shown above, similar to the Global Administrator role. You can easily see here how this breaks the principle of least privilege, and would get confusing to manage as your organisation grows.
So where do Administrative Units fit in?
In the above example, both Study and Sports Administrators have had the scope of their access rights restricted, something that can’t be done just using groups. They each now only have administration rights over their relative Administrative Units, as opposed to any Azure AD object in the organisation, such as a Global Administrator may have.
It’s important to note at this point, adding a group to an Administrative Unit does not add the users in the way you may originally think, it adds the Group Object to the scope of the Administrators control, as opposed to the group members. Adding a role to the group, does not allow group members to inherit that role, and Administrative Unit Administrators can not do anything to member accounts contained within a group that’s contained inside an Administrative Unit, this is the principle of least privilege at work once more.
Why are they useful?
The main reason for using Administrative Units is to maintain the principle of least privilege, by giving Administrators of intended subsets of the user population a limited scope and providing more granular Administrator access rights across your whole organisation. They provide differentiation and important separation between different Administrator roles across your user population, and make understanding your hierarchy in Azure AD more simplistic.
Hopefully this has helped you understand a little more a potential use case for Administrative Units in Azure AD!
