User & Group ManagementAdministrative Units & Role-Based Access

Administrative Units & Role-Based Access

25 mins

Understanding the Concept

Administrative units (AUs) in Microsoft Entra ID allow you to restrict administrative scope. Instead of giving an administrator tenant-wide permissions, you can scope their role to a specific administrative unit containing a subset of users, groups, or devices.

Built-in Entra ID roles include Global Administrator, User Administrator, Security Administrator, and many more. Custom roles can be created to grant specific permissions tailored to your organization's needs (requires P1).

The principle of least privilege should guide role assignments: administrators should have only the permissions they need, scoped to the resources they manage. PIM (Privileged Identity Management) adds just-in-time access for elevated roles.

Key Points

  • Administrative units scope admin permissions to a subset of objects
  • 60+ built-in roles available for common administrative tasks
  • Custom roles allow granular permission assignment (P1 required)
  • Global Administrator is the most powerful role - limit to 2-4 users
  • Use PIM for just-in-time activation of privileged roles (P2 required)

RBAC Architecture

Step 1

Define AUs

Create administrative units by region, department, or function

Step 2

Assign Members

Add users, groups, or devices to administrative units

Step 3

Assign Roles

Grant admin roles scoped to specific administrative units

Step 4

Activate via PIM

Admins activate roles just-in-time when needed

Why This Matters in Real Organizations

Without administrative units, delegating admin tasks requires granting tenant-wide permissions. This violates least privilege and creates excessive risk. AUs enable safe delegation while maintaining security boundaries between business units or regions.

Common Mistakes to Avoid

Making too many users Global Administrators
Not using administrative units for delegated administration
Assigning permanent privileged roles instead of using PIM
Creating custom roles when built-in roles would suffice

Interview Tips

  • Explain the least privilege principle in context of Entra ID roles
  • Discuss when to use administrative units vs other scoping methods
  • Mention PIM as the solution for just-in-time privileged access

Exam Tips (SC-300)

  • Know the key built-in roles and their permissions
  • Understand administrative unit capabilities and limitations
  • Know that custom roles require P1 and PIM requires P2

Course Complete!

You've finished all lessons

Previous|Next|HHome