Microsoft Entra Administrative Units are containers that help organizations divide their users, groups, and resources into separate sections
They allow administrators to manage and control access within these specific sections without affecting the entire organization
This helps to keep things organized and secure by giving administrators more precise control over permissions and roles within their organization
Administrative unit can contain only users, groups, or devices
For example, if you create a “Finance” administrative unit and assign a user the Helpdesk Administrator role within this unit, the user can only manage tasks like resetting passwords for members within the “Finance” unit. The user’s permissions are limited to the specified administrative unit and do not apply to the entire organization.
Groups
When a group is added to an administrative unit, the group becomes part of that unit’s management scope. This means administrators assigned to that administrative unit can manage the group’s properties, like changing its name or adding or removing members. However, administrators can’t manage properties of the users or devices within that group unless those users and devices are also individually added as members of the same administrative unit
Permissions Allowed
Manage the name of the group
Manage the membership of the group
Permissions not Allowed
Manage the user properties for individual members of the group
Manage the user authentication methods of individual members of the group
Reset the passwords of individual members of the group
License requirements
Microsoft Entra ID P1 or P2 license for administrative unit administrator
Microsoft Entra ID Free licenses for administrative unit members
Restricted Management Administrative unit
Restricted management administrative units act as secure containers for your resources. Only the administrators you specify can make changes within these containers, which helps keep your organization secure and compliant
What objects can be members?
User ,security Group ,Device
What types of operations are Allowed
Add users, groups, or devices in a restricted management administrative unit to
Who can modify objects?
Administrators assigned at the scope of restricted management administrative unit
Administrators assigned at the scope of another restricted management administrative unit of which the object is a member
Limitations
When you crating an administrative unit with restricted management you must apply these settings during the creation process Once the administrative unit is created, you won’t be able to change these settings
When role-assignable groups are added to a restricted management administrative unit, their membership cannot be changed by group owners. Only Global Administrators and Privileged Role Administrators, who are not limited by administrative units, can modify the membership of these groups
When deleting a restricted management administrative unit, it can take up to 30 minutes to remove all protections from the former members