Administrative Units for Microsoft 365 Services

“If I had a penny, for every time someone asked me for this, I would be a very rich person”

Many cultures have similar sayings, but when it comes to being able to assign a Microsoft 365 admin role based on organisational units, it is certainly true for me.  Indeed one customer asked me this in every call and meeting for an 18 month period.
Rolling out currently is the ability to create Administrative Units in the Microsoft 365 Admin Center, which can do exactly this.  You can find the set up on https://admin.microsoft.com/ under Roles and Administrative units.

Create an Administrative Unit

Click Add unit to start creating a new unit

Enter a name and a description for the unit

You now need to add the members of the unit.  You can add 20 individual users or 20 groups, alternatively you can create a text file with up to 200 users and upload that.  Do NOT include the users who will be assigned Admin roles for this group.

If you wish to use the bulk upload there is a sample file download available to get you started.

Once you have added the unit members click Next

Now you can choose the roles you want to specify admins.  Pick the role and click the Assign admins button to open the assignment blade.  You can also click on to the role name and the click the Assigned link in the blade to enter the assign admins screen.

Click Add and search for the desired users.

Once you have found the users who will be assigned the role for the unit, click Assign

You can repeat the process with each of the listed roles.  Currently this feature only supports the following roles

  1. Authentication Admin
  2. Groups Admin
  3. Helpdesk Admin
  4. License Admin
  5. Password Admin
  6. SharePoint Admin
  7. Teams Admin
  8. User Admin

Once you have added all the required admins, click Next  and review the setting before clicking Add

Your administrative unit will be created.

Delete an Administrative Unit

In  https://admin.microsoft.com/ under Roles and Administrative units, locate the unit in the list and select.

Click the Delete unit button

Confirm you wish to delete the unit.  Note you CANNOT undo this action nor recover the unit from any recycle bin!

You will see a confirmation message that the unit has been deleted.

To Modify an Administrative Unit

To Change Name and/or Description

In  https://admin.microsoft.com/ under Roles and Administrative units, locate the unit in the list and select.

Click Edit name and description

To Edit Group Membership and/or Administrative Roles

In  https://admin.microsoft.com/ under Roles and Administrative units, locate the unit in the list and click the group name.

You can edit the membership from Members and the admin roles via Role assignments

Further Reading

For more details on the Microsoft 365 Administration announcements at Ignite Nov 2021 see https://techcommunity.microsoft.com/t5/microsoft-365-blog/what-s-new-in-microsoft-365-admin-management-ignite-2021/ba-p/2866321?WT.mc_id=M365-MVP-5004583

To create and user administrative units in Azure AD see https://docs.microsoft.com/azure/active-directory/roles/administrative-units?WT.mc_id=M365-MVP-5004583#currently-supported-scenarios

In Exchange Online you can use Management Scopes to achieve similar limitation of mailbox management https://docs.microsoft.com/en-us/exchange/understanding-management-role-assignments-exchange-2013-help?WT.mc_id=M365-MVP-5004583#management-scopes

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s