Administrative Units
Administrative Units (AUs) are Microsoft Entra's answer to “I want to let someone admin part of my tenant without giving them the whole thing”. Manage365's AU module gives you CRUD over AUs, membership management, and scoped role assignments — the bit that actually makes AUs useful.
What AUs solve
Without AUs, tenant admin is all-or-nothing. A User Administrator can reset passwords for any user in the tenant. In a 160-person tenant with three departments, that means the Finance team's shared user admin can reset the CEO's password. Not what most businesses want.
With AUs, you carve the directory into scopes (usually matching business units) and assign roles over those scopes:
- Finance AU — contains the Finance team's users and groups
- IT AU — contains the IT team
- Sales AU — contains Sales + their devices
A User Administrator over Finance AU only can reset passwords and manage users within Finance. The rest of the tenant is untouchable to them.
Membership types
Assigned (static)
You pick each user, group, or device and add them to the AU explicitly. Membership stays the same until you change it. Simple, predictable, manual.
Dynamic (rule-based)
You set a rule — e.g. user.department -eq "Finance" — and Entra evaluates the rule against the directory on a schedule. New hires with department = Finance land in the AU automatically; people moving out of Finance roll out.
Dynamic rules use the same syntax as dynamic security groups. Common rules:
user.department -eq "Finance"user.country -eq "AU" -and user.jobTitle -contains "Manager"device.deviceOSType -eq "Windows"
Dynamic rules need Entra ID P1 on the tenant. The rule editor in Manage365 flags that upfront so you don't write a rule that won't evaluate.
Scoped role assignments
The reason AUs exist. A normal role assignment gives someone tenant-wide power. A scoped assignment gives them power only within an AU.
Manage365's AU page lists current scoped assignments for each AU and lets you add or remove them. Common scoped role patterns:
- User Administrator over an AU — delegate helpdesk for a business unit
- Password Administrator over an AU — pure password reset delegation (no user-create rights)
- Authentication Administrator over an AU — MFA reset rights for a business unit
- Groups Administrator over an AU — let a team manage their own groups
- Helpdesk Administrator over an AU — the broad “do the support job for this slice” role
Not every role can be scoped to an AU — Microsoft picks. The Manage365 UI only shows roles Entra actually supports scoping, so you can't accidentally request an invalid combination.
End-to-end example: finance helpdesk delegation
- Create an AU named Finance with membership type Dynamic, rule
user.department -eq "Finance". - Wait 5–10 minutes for Entra to evaluate the rule. The AU fills with the 14 Finance users.
- On the AU page, Add scoped role → Helpdesk Administrator, member finance-ops@acmehealth.com.au.
- finance-ops can now reset passwords, manage MFA, and unlock accounts — but only for the 14 Finance users.
- A new Finance hire starts the following month. The dynamic rule picks them up on their next evaluation tick; they're in-scope for the helpdesk admin automatically.
Endpoints
| Method + path | What it does | Permission |
|---|---|---|
GET /tenants/:tenantId/admin-units | List AUs | ADMIN_UNITS_READ |
POST /tenants/:tenantId/admin-units | Create AU (assigned or dynamic) | ADMIN_UNITS_MANAGE |
PATCH /tenants/:tenantId/admin-units/:id | Rename, update rule, switch membership type | ADMIN_UNITS_MANAGE |
DELETE /tenants/:tenantId/admin-units/:id | Delete an AU (does not delete its members) | ADMIN_UNITS_MANAGE |
GET /tenants/:tenantId/admin-units/:id/members | List AU members (users / groups / devices) | ADMIN_UNITS_READ |
POST /tenants/:tenantId/admin-units/:id/members | Add a member (assigned AUs only) | ADMIN_UNITS_MANAGE |
DELETE /tenants/:tenantId/admin-units/:id/members/:memberId | Remove a member (assigned AUs only) | ADMIN_UNITS_MANAGE |
GET /tenants/:tenantId/admin-units/:id/role-assignments | List scoped role assignments | ADMIN_UNITS_READ |
POST /tenants/:tenantId/admin-units/:id/role-assignments | Assign a scoped role | ADMIN_UNITS_MANAGE |
DELETE /tenants/:tenantId/admin-units/:id/role-assignments/:assignmentId | Revoke a scoped role | ADMIN_UNITS_MANAGE |
Common pitfalls
- Dynamic rule never matches — often a typo in the attribute name. Entra is case-sensitive on values but not on attribute names. Test with
user.department -eq "Finance"(note the capital F) before assuming the attribute is wrong. - Missing P1 — dynamic AUs need Entra ID P1. Without it the rule is accepted but never evaluates. Manage365's licence check surfaces this, but the Graph API happily accepts the rule regardless.
- Over-scoping — giving a Helpdesk Admin scope over an AU that contains the CEO. Check who's in the AU before assigning. The Preview members button shows the current evaluation.
- Trying to add members to a dynamic AU — rejected. Dynamic membership is rule-driven; switch to assigned if you need manual control.
- Role not assignable to AU — Microsoft decides which roles can be scoped. If Manage365 greys out a role it's because Entra doesn't allow scoping it yet.
FAQ
Are AUs the same as dynamic security groups? No. Groups assign membership for app access; AUs scope admin rights. They can share rule syntax but they're different objects.
Can an AU contain another AU? No — AUs are flat. A user, group, or device can be in multiple AUs but AUs can't nest.
Does Conditional Access see AU membership? Not directly — CA targets users, groups, or roles. If you need CA scoped to an AU, mirror the AU membership into a dynamic security group and target the group.
Do scoped role assignments require PIM? No — AU scoping works with or without Privileged Identity Management. PIM adds just-in-time activation on top if you have it.