Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Entra ID Administrative Units

Administrative Units scope admin roles to subsets of the directory — for delegated administration without tenant-wide privileges.

Administrative Units (AUs) in Microsoft Entra ID scope an admin role to a subset of the directory — a department, a country, a business unit — so that admins can manage only the users, groups, and devices in that scope. They're the modern alternative to handing out tenant-wide admin roles for delegated administration.

What an AU contains

An Administrative Unit can include:

  • Users — added explicitly or by dynamic membership rule.
  • Groups — same.
  • Devices — same.

Admin roles scoped to an AU can manage only those objects, even though the admin role itself (User Administrator, say) would normally cover the entire tenant.

Why AUs matter

Without AUs:

  • A regional IT team that should manage only EMEA users gets the User Administrator role tenant-wide.
  • They have tenant-wide permissions to manage every user, even ones they shouldn't touch.
  • An audit finding asks why an EMEA admin can reset the CEO's password.

With AUs:

  • Create an EMEA AU with dynamic membership country eq "FR" or country eq "DE" or country eq "UK"....
  • Assign User Administrator scoped to EMEA AU to the EMEA IT team.
  • The CEO (in country = US) is not in the AU; EMEA admins can't touch them.

The admin role works the same way, just constrained to AU members.

Restricted Management AUs

A newer variant: Restricted Management Administrative Units. Objects in a restricted-management AU can only be managed by admins explicitly scoped to that AU — not even Global Administrators can manage them directly.

Use case: protect a small set of highly sensitive accounts (executives, break-glass admins, regulated-role users) so that even a compromised Global Admin account can't tamper with them without first adding themselves to the AU's admin role.

Configuration

AUs are configured in the Entra admin center → Identity → Roles & admins → Administrative units:

  1. Create the AU.
  2. Add scope — assigned users/groups/devices or a dynamic rule.
  3. Assign admin roles scoped to the AU to your delegated admins.

PowerShell and Graph API also support full AU management for automation.

Roles that can be AU-scoped

A subset of Entra ID roles support AU scoping:

  • User Administrator
  • Helpdesk Administrator
  • Authentication Administrator
  • Groups Administrator
  • License Administrator
  • Password Administrator
  • Privileged Authentication Administrator

Not every role is AU-aware — check Microsoft's current list. Roles that operate on tenant-wide configuration (Conditional Access, Exchange settings) can't be AU-scoped.

When AUs are right

  • Multi-region organisations with geographic IT teams.
  • Conglomerates and franchises with subsidiary IT teams.
  • Education with school-by-school administration.
  • Healthcare networks with hospital-by-hospital admin.

When they're not

  • Single-region small/mid-size companies — AUs add complexity for little gain.
  • Pure cloud-only tenants without delegated administration needs.

For organisations that need delegated admin, AUs replaced an awkward pattern of "we just trust the regional admins not to touch the wrong users." They're a meaningful security improvement.