Tutorial / Cram Notes
Administrative units are containers within Microsoft 365 that allow a scoped group of users and other resources to be managed separately from the rest of the organization. They serve as boundaries for administrative tasks, enabling a decentralized model of management. This is particularly useful in large organizations, educational institutions, or situations where there are distinct divisions requiring separate administrative control.
Creating and Managing Administrative Units
To create an administrative unit, you need to have either Global Administrator or Privileged Role Administrator permissions in your Microsoft 365 environment. The creation and management of administrative units can be done through the Microsoft 365 Admin Center or via PowerShell.
Here are the steps to create an administrative unit through the Microsoft 365 Admin Center:
- Navigate to the Microsoft 365 Admin Center.
- Go to the “Admin centers” and select “Azure Active Directory”.
- In the Azure Active Directory admin center, select “Administrative units” and then click “New administrative unit”.
- Enter the name and description for the administrative unit and then click “Create”.
Once an administrative unit is created, you can add members and assign roles. The members can be users or groups who will be managed within this unit. The roles are scoped to the administrative unit, meaning the assigned administrators can only perform tasks within the confines of the unit.
Assigning Roles within Administrative Units
To assign a role within an administrative unit:
- Select the desired administrative unit.
- Click on “Roles and administrators”.
- Choose “Add assignment”, then select the role to assign.
- Pick the appropriate user to assign the role to and confirm the assignment.
Examples of Scoped Roles
Standard Role | Scoped Role in Administrative Unit |
---|---|
User Administrator | Administrative Unit User Administrator |
Helpdesk Administrator | Administrative Unit Helpdesk Administrator |
Groups Administrator | Administrative Unit Groups Administrator |
These scoped roles function similarly to their standard counterparts but limit the administrative actions to the users and resources within the specific administrative unit.
Use Case Scenarios
Administrative units can be used in a variety of scenarios. For example, in an educational setting, each school or department could be assigned its administrative unit. The IT department at the Faculty of Arts could be given scoped roles to manage accounts and resources solely for the Arts department, independent of the Science department.
In a multinational company, administrative units can be set up per country or region, allowing local IT administrators to manage their own users without affecting the entire organization.
Limitations and Considerations
While administrative units provide an additional layer of organization, they come with limitations:
- Not all Microsoft 365 services and features support administrative units.
- Administrative units cannot be nested; they are distinct and do not inherit permissions or roles from one another.
- Licenses cannot be directly assigned within an administrative unit. They are still managed globally.
Conclusion
Administrative units offer a flexible and secure way to manage subsets of users in an organization by scoping administrative roles to specific boundaries. Their use simplifies management, enhances security by minimizing overly broad permissions, and allows for customization per department, region, or organizational unit. In the context of the MS-100 Microsoft 365 Identity and Services exam, understanding how to set up and manage administrative units is fundamental for effective Microsoft 365 administration.
Practice Test with Explanation
True or False: Administrative Units in Microsoft 365 can only be managed via PowerShell.
- Answer: False
Explanation: Administrative Units can be managed via both PowerShell and the Azure Active Directory portal in Microsoft
True or False: You must be a Global Administrator to create Administrative Units in Microsoft
- Answer: False
Explanation: While Global Administrators can create Administrative Units, so can users assigned the User Administrator or Administrative Unit Administrator roles.
Which of the following roles can manage members within an Administrative Unit?
- A) Global Administrator
- B) User Administrator
- C) Password Administrator
- D) Billing Administrator
Answer: A and B
Explanation: Both Global Administrators and User Administrators can manage members within Administrative Units.
True or False: Administrative Units can be nested within each other.
- Answer: False
Explanation: Administrative Units in Microsoft 365 cannot be nested like organizational units in Active Directory.
True or False: License assignment can be managed at an Administrative Unit level.
- Answer: True
Explanation: Licenses can be managed at an Administrative Unit level, allowing for more granular control of license assignments.
Multiple Select: What can you do within an Administrative Unit in Microsoft 365?
- A) Assign roles to users
- B) Manage device compliance policies
- C) Set conditional access policies
- D) Restrict access to SharePoint Online sites
Answer: A, B, and C
Explanation: Within an Administrative Unit, you can assign roles to users, manage device compliance policies, and set conditional access policies. Restricting access to SharePoint Online sites is not directly managed through Administrative Units.
True or False: An Administrative Unit can be used to delegate permissions to manage a specific group of users.
- Answer: True
Explanation: Administrative Units are designed to delegate permissions for managing specific groups of users in Microsoft
True or False: You can delegate a set of permissions to a group in an Administrative Unit.
- Answer: False
Explanation: Permissions are delegated to users within an Administrative Unit, but not to groups.
Single Select: What is the primary purpose of using Administrative Units in Microsoft 365?
- A) To enforce security compliance
- B) To manage resources
- C) To delegate administrative tasks
- D) To create new user accounts
Answer: C
Explanation: The primary purpose of using Administrative Units is to delegate administrative tasks to users or teams within a part of the organization.
True or False: Once created, the scope of an Administrative Unit cannot be modified.
- Answer: False
Explanation: The scope of an Administrative Unit, such as its name and description, can be modified after creation.
True or False: Administrative Units in Microsoft 365 support dynamic membership based on user attributes.
- Answer: True
Explanation: Administrative Units can have dynamic membership based on user attributes like department, job title, or country.
Multiple Select: Which attributes can be used to define dynamic membership rules for Administrative Units?
- A) Department
- B) Manager
- C) Last sign-in time
- D) Country
Answer: A, B, and D
Explanation: Attributes like department, manager, and country can be used to define dynamic membership rules. Last sign-in time is not an attribute used for dynamic membership in Administrative Units.
Interview Questions
What are administrative units in Azure Active Directory (Azure AD)?
Administrative units in Azure AD are containers for administrative roles, which can be used to delegate administrative permissions for specific areas of the organization.
What is the purpose of administrative units in Azure AD?
The purpose of administrative units in Azure AD is to allow for more granular and secure management of administrative permissions by enabling the delegation of permissions to a specific subset of users or groups within an organization.
How can you create an administrative unit in Azure AD?
You can create an administrative unit in Azure AD by using the Azure AD PowerShell module or the Azure portal.
What are the different types of administrative roles that can be assigned to an administrative unit in Azure AD?
There are five different types of administrative roles that can be assigned to an administrative unit in Azure AD Global administrator, User administrator, Password administrator, Service administrator, and Exchange administrator.
How do you assign administrative roles to an administrative unit in Azure AD?
You can assign administrative roles to an administrative unit in Azure AD by using the Azure AD PowerShell module or the Azure portal.
How can you manage the members of an administrative unit in Azure AD?
You can manage the members of an administrative unit in Azure AD by using the Azure AD PowerShell module or the Azure portal.
Can you nest administrative units in Azure AD?
No, administrative units cannot be nested in Azure AD.
What is the maximum number of administrative units that can be created in Azure AD?
The maximum number of administrative units that can be created in Azure AD is 5,000.
How can you use administrative units to delegate permissions for specific areas of your organization?
You can use administrative units to delegate permissions for specific areas of your organization by assigning the appropriate administrative roles to the administrative units, and then adding the appropriate users or groups to those administrative units.
How do you remove an administrative unit in Azure AD?
You can remove an administrative unit in Azure AD by using the Azure AD PowerShell module or the Azure portal.
Does anyone have tips for managing administrative units in Microsoft 365?
Can we delegate user management to departmental administrators via administrative units?
I appreciate the blog post!
Is it possible to audit activities within administrative units?
Does anyone else find the UI for managing administrative units lacking?
How do you handle role assignments in administrative units?
Do administrative units offer the same level of control as organizational units in Active Directory?
Can someone share best practices for naming conventions of administrative units?