Administrative Units in Microsoft 365 Admin Center

This is a long waited feature for IT admins and group of companies to segregate the management of users in single tenant.

When there are many entities within a group and each group has its own IT team earlier we had the option to limit the access by giving limited admin permission like password admin, user admin etc.

By doing this each entity limited admin had access to make changes based on their permission to other entity users as well.

There were few third party solution to achieve this but it came with a cost where most of the companies didn’t want to invest in.

Surprisingly when browsing through the admin center i found out that 365 admin center has enabled this feature to over come the above issues up to some level. Lets get started with Administrative Units.

So the scenario is in a single tenant we have two companies which the same group own. and we need to give the company 1 permission only to manage their user accounts.

To do so navigate to Microsoft 365 Admin center > Roles > Administrative Units.

We can add a Unit.

We need to give a name and a description for the unit.

Then we need to add the users who we are going to manage. in our scenario we are going to manage the head office uses. so i’m going to add few head office users here.

We got two option to add users.

1. Add up to 20 users and groups
2. Upload users using a CSV upto 200

I’m going to choose the manual add option.

Now I have 3 users.

Then we have the option select the admin scope and the admin user who is going to manage the Head office users.

We have the below admin scopes we can select from

1. Authentication admin
   • Can require users to re-register authentication for non-passwords credentials, like MFA
2. Groups admin
   • creates and manages group, including group naming and expiration polies. views activity and audit reports, monitoring services health.
3. Helpdesk Admin
   • Resets passwords and re-authenticates for all non-admins and some admin roles, manages service requests, and monitors service health.
4. License Admin
   • Assigns and removes licenses from users and edits their usage location.
5. Password Admin
   • Resets passwords for all non-admin users and some admin roles.
6. SharePoint administrator
   • Full access to SharePoint Online, manages Microsoft 365 groups, manages service requests, and monitors service health.
7. Teams Administrator
   • Full access to Teams & Skype admin center, manages Microsoft 365 groups and service requests, and monitors service health.
8. user Administrator
   • Resets user passwords, creates and manages users and groups, including filters, manages service requests, and monitors service health.

We can select the admin role based on your need. In my case I’m going to select “Password Admin” and click on assigned and click on +Add.

Added user1 from the Head office.

We can review our Admin unit before finishing the setup.

OK now lets see how this looks like from the head office users. I already logged in to the users account.

I see a very limited admin panel when I logged in with the head office users.

When i go to active users i only see the accounts which i have permission for.

Also since i gave only password admin i am only authorized to reset those 3 users password and nothing else.

I don’t have to permission perform anything else apart from resetting password for the permitted users.

Reference