Azure AD Administrative Units are used to simplify the management of Azure AD resources by enabling administrative delegation of specific tasks to a subset of users within an organization. Administrative Units are used to partition and delegate administrative permissions within an Azure AD tenant.
With Administrative Units, administrators can:
- Create a hierarchy of administrative scopes and assign scope-based roles to delegate administration to a subset of users
- Assign administrative permissions for managing objects in specific administrative scopes
- Filter directory objects by administrative scope to ensure administrators can only access objects for which they have permission
Administrative Units can be used to delegate administrative permissions for managing users, groups, and devices, and can also be used for other Azure AD resources such as applications and service principals. Administrative Units can be created and managed through the Azure portal or Azure AD PowerShell.
