Unit 5: Configure Delegation Using Administrative Units

Purpose of Administrative Units (AUs)

Administrative Units (AUs) are containers within Microsoft Entra ID used to group and delegate management of specific users, groups, or devices. They enforce scoped administration, ensuring administrators can manage only specific subsets of resources instead of the entire tenant.

Example: In Contoso, a Helpdesk Administrator in the Europe AU can reset passwords for European users only, not for employees in North America or Asia.

Why Use Administrative Units

• Enforces least privilege and segregation of duties.
• Supports decentralized administration for large or distributed organizations.
• Simplifies management for region- or department-specific admins.

Admin Roles Available in Administrative Units

Analogy: Think of Administrative Units (AUs) as organizational units (OUs) in on-premises Active Directory, but scoped for Microsoft Entra ID.

Planning Administrative Units

You can organize AUs by:

• Geography: e.g., “Europe,” “North America,” “Asia-Pacific.”
• Department: e.g., “Finance,” “Research,” “IT Support.”
• Subsidiary or Business Unit: e.g., “Contoso Manufacturing,” “Contoso Health.”

Lifecycle of AU Creation

• Initial adoption – start with a few units (e.g., per department).
• Pruning – refine or remove unnecessary AUs.
• Stabilization – consistent structure across the tenant.

Delegating Administration

Delegation helps organizations scale identity management securely.

Ways to Delegate Application Management

Example: At Fabrikam, only the DevOps lead is allowed to register apps. Others can manage apps only if added as app owners.

Steps to Plan Delegation

• Define Roles Needed – Identify what tasks require elevated permissions.
• Delegate App Administration – Offload app-level tasks from Global Admins.
• Grant Application Registration Rights – Restrict who can register new apps.
• Delegate App Ownership – Assign owners to specific enterprise apps.
• Develop Security Plan – Include MFA, monitoring, and just-in-time access.
• Establish Emergency Accounts – “Break-glass” accounts for tenant recovery.
• Secure Admin Roles – Enforce MFA and PIM for privileged accounts.

Delegating App Registration

To limit who can create app registrations:

• Set Users can register applications → No in User settings.
• Assign specific users to the Application Developer role.

To control consent to data access:

• Set Users can consent to apps accessing company data → No.
• Assign Application Developer role to trusted staff.

Delegating App Ownership

Each enterprise app can have multiple owners responsible for its configuration.

Example: Contoso assigns a Salesforce admin as the Enterprise Application Owner for Salesforce, allowing her to manage user access and SSO settings without full tenant admin rights.

Security Planning and Best Practices

• Always maintain at least two emergency (break-glass) accounts with MFA disabled but stored securely.
• Apply Security Defaults to enforce MFA on admin accounts.
• Keep administrative access temporary using PIM.
• Review delegated permissions regularly to maintain security compliance.