Azure AD Admin Units (Preview)

Today, I had time to test the new Azure AD management units preview feature. This feature is very important to me, as I have often asked about this feature in Azure AD in the past.

What can you do with Azure AD management units?

The answer is really simple: you can set authorization for different departmental units.

Okay, let’s explain an use case scenario:

Your company has more than one IT department at different locations. You have first level support in Europe and another in the United States. You want to archive the following:

  • The US help desk can only change users and groups from their location
  • The help desk in Europe can only change users and groups from their location

Exactly this solution is possible with Azure AD management units.

Let’s start with a demo implementation. First, I’m creating a new Azure AD management unit. To do this, open the Azure Active Directory portal and go to the right section:

Create a new unit called “DemoUnit”. In my case, I add two users to the members that can be edited by the administrator:

Next, we assigned the authority and administrator to this administrative unit. Click Roles and Administrator to add the necessary permissions. Permits are currently limited to:

136/5000Select the role to which you want to add the unit and add the administrator for this administrative unit.

Cool, let’s validate the solution. I open my browser (incognito) and log in to the Azure portal ( with the user “Admin UnitAdmin”. No, I’m going to the Azure AD portal and trying to change one of the “member” users in the administrative unit:

Everything looks good because I activated the “Edit” button. Now I’m going to try to edit another user who is not in the Azure management unit:

Bamm, not possible because the “Edit” button is deactivated for this administrative unit.

Important note!

That feature is currently in preview and is an Azure AD Premium feature

My conclusion for this function is very important, but the configuration is not really clear and I hope there is a better overview of:

  • The Administrative role binding
  • The Administrative members

available when the feature will be available soon.