Administrative Units

Audience: Platform Engineering, Identity & Access Management, Distributed Unit Administrators
Scope: Structure and management of Administrative Units (AUs) for delegated administration
Out of scope: Azure resource scoping, Conditional Access policies

TL;DR

One AU per unit: Each college/department gets AU-[SCOPE] for group management
Enables delegation: Groups Administrators scoped to their AU can manage their own scope groups
Required for onboarding: New units must have an AU before creating DSG/USG/ESG/RSG groups
Device AUs coming soon: Future state will scope device administration (Cloud Device Admin, etc.)

Quick Reference

AU Name	Description	Primary Use
`AU-CLBA`	Mays Business School	Group management
`AU-CLEN`	College of Engineering	Group management
`AU-CLVM`	College of Veterinary Medicine & Biomedical Sciences	Group management
`AU-DOR`	Division of Research	Group management
`AU-EXSP`	Administrative Executive Support	Group management
`AU-HUMR`	Division of Human Resources & Organizational Effectiveness	Group management
`AU-IT`	Division of Technology Services	Group management
`AU-OAL`	Open Access Labs	Group management
`AU-SVC-WDM`	Protected AU for RSG groups used for tenant-wide roles	Role group management
`AU-TAMUG`	Texas A&M University Galveston Campus	Group management
`AU-TAMUQ`	Texas A&M University Qatar Campus	Group management
`AU-UEM`	Unified Endpoint Management	Group management
`AU-VPFN`	Division of Finance	Group management
`AU-VPMC`	Division of Marketing & Communications	Group management

What is an Administrative Unit?

An Administrative Unit (AU) is a container in Entra ID that restricts administrative permissions to a specific portion of the organization. Think of it as a "scope boundary" for delegated administration.

Key Concepts

Concept	Description
Membership	Groups, users, or devices assigned to the AU
Scoped Roles	Entra ID roles (e.g., Groups Administrator) limited to AU members
Restricted Management	When enabled, only AU-scoped admins can modify members

Why We Use AUs

Least Privilege: Unit admins can only manage their own groups
Self-Service: Units can create/modify their scope groups without IT intervention
Separation of Duties: Prevents cross-unit interference
Audit Trail: Clear ownership of group management actions

AU Naming Convention

AU-[SCOPE]

Element	Description
AU	Prefix identifying Administrative Unit
SCOPE	Same scope tag used for Intune, MECM, and AD delegation

Examples:

AU-CLEN — College of Engineering
AU-IT — Division of Technology Services
AU-OAL — Open Access Labs

Special AUs

AU Name	Purpose
`AU-SVC-WDM`	Protected AU for managing RSG groups used for tenant-wide Intune roles. Only Platform Engineering has access.

AU Architecture

Current State: Group Scoping

graph TD
    subgraph "Administrative Unit: AU-CLEN"
        DSG["DSG - CLEN - Managed Workstations"]
        USG["USG - CLEN - Endpoint Admins"]
        ESG["ESG - CLEN - Standard Experience"]
        RSG["RSG - CLEN - Endpoint Operator"]
    end
    
    Admin["Unit Admin\n(Groups Administrator)"] -->|Scoped to AU-CLEN| DSG
    Admin -->|Scoped to AU-CLEN| USG
    Admin -->|Scoped to AU-CLEN| ESG
    Admin -->|Scoped to AU-CLEN| RSG
    
    GlobalAdmin["Platform Engineering\n(Global Admin)"] -->|Full Access| DSG
    GlobalAdmin --> USG
    GlobalAdmin --> ESG
    GlobalAdmin --> RSG

How it works:

All scope groups (DSG, USG, ESG, RSG, FSG, CSG) are created inside the unit's AU
Unit admins are assigned "Groups Administrator" scoped to their AU
Unit admins can create, modify, and delete groups within their AU
Unit admins cannot see or modify groups outside their AU

Future State: Device Scoping

Coming Soon

Device AU scoping is currently in testing. This will allow roles like Cloud Device Administrator to be scoped to specific device groups rather than all devices in the tenant.

graph TD
    subgraph "Administrative Unit: AU-CLEN-Devices"
        Devices["College of Engineering\nManaged Devices"]
    end
    
    DeviceAdmin["Unit Device Admin\n(Cloud Device Administrator)"] -->|Scoped to AU-CLEN-Devices| Devices

Planned capabilities:

Scope Cloud Device Administrator to unit devices only
Scope Intune Administrator actions to AU members
Enable device wipe/reset delegation without full tenant access

Creating an Administrative Unit

Prerequisites

Requirement	Details
Role	Privileged Role Administrator or Global Administrator
Scope Tag	Approved scope tag (e.g., `CLEN`, `OAL`)
Naming Approval	Scope tag must be unique and approved

PowerShell Script

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "AdministrativeUnit.ReadWrite.All"

# Variables - UPDATE THESE
$scopeTag = "CLEN"
$description = "College of Engineering"

# Create the Administrative Unit
$params = @{
    displayName = "AU-$scopeTag"
    description = $description
    visibility = "HiddenMembership"
}

$au = New-MgDirectoryAdministrativeUnit -BodyParameter $params
Write-Host "Created AU: $($au.DisplayName) with ID: $($au.Id)"

Entra Portal Steps

Navigate to Entra ID → Roles and administrators → Admin units
Click + Add
Configure:
- Name: AU-[SCOPE] (e.g., AU-CLEN)
- Description: Unit full name
- Restricted management: No (unless special case)
- Membership type: Assigned
Click Create

Assigning Groups to an AU

All scope groups must be assigned to their unit's AU at creation time.

PowerShell Script

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "AdministrativeUnit.ReadWrite.All", "Group.ReadWrite.All"

# Variables - UPDATE THESE
$scopeTag = "CLEN"
$groupName = "DSG - CLEN - Managed Workstations"
$groupDescription = "All CLEN-managed Windows workstations"

# Get the AU
$au = Get-MgDirectoryAdministrativeUnit -Filter "displayName eq 'AU-$scopeTag'"

if (-not $au) {
    Write-Error "AU-$scopeTag not found. Create the AU first."
    exit 1
}

# Create the group
$groupParams = @{
    displayName = $groupName
    description = $groupDescription
    mailEnabled = $false
    mailNickname = ($groupName -replace '\s', '-')
    securityEnabled = $true
    groupTypes = @()
}

$group = New-MgGroup -BodyParameter $groupParams
Write-Host "Created group: $($group.DisplayName)"

# Add group to AU
$memberParams = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/groups/$($group.Id)"
}

New-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $au.Id -BodyParameter $memberParams
Write-Host "Added $($group.DisplayName) to $($au.DisplayName)"

Delegating Administration

Assigning Scoped Roles

To delegate group management to a unit admin:

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory", "AdministrativeUnit.Read.All"

# Variables - UPDATE THESE
$scopeTag = "CLEN"
$adminUpn = "jsmith@tamu.edu"

# Get the AU
$au = Get-MgDirectoryAdministrativeUnit -Filter "displayName eq 'AU-$scopeTag'"

# Get the user
$user = Get-MgUser -Filter "userPrincipalName eq '$adminUpn'"

# Get the Groups Administrator role
$role = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Groups Administrator'"

# Create the scoped role assignment
$assignmentParams = @{
    "@odata.type" = "#microsoft.graph.unifiedRoleAssignment"
    principalId = $user.Id
    roleDefinitionId = $role.Id
    directoryScopeId = "/administrativeUnits/$($au.Id)"
}

New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $assignmentParams
Write-Host "Assigned Groups Administrator to $adminUpn scoped to AU-$scopeTag"

Available Scoped Roles

Role	Description	Common Use
Groups Administrator	Create/manage groups	Scope group management
User Administrator	Manage user accounts	User lifecycle (future)
Cloud Device Administrator	Manage devices	Device administration (future)
Authentication Administrator	Reset passwords, MFA	User support (future)

Onboarding Checklist

When onboarding a new unit, ensure these AU-related steps are completed:

Step	Owner	Action
1	Platform Engineering	Create `AU-[SCOPE]` if it doesn't exist
2	Platform Engineering	Create initial scope groups inside AU
3	Platform Engineering	Assign Groups Administrator role scoped to AU
4	Unit Admin	Verify access to AU groups in Entra portal
5	Unit Admin	Create additional scope groups as needed

Troubleshooting

Admin cannot see or edit groups

Symptoms:

Admin can log in but sees no groups
Admin gets "Access Denied" when editing groups

Solution:

Verify the admin has Groups Administrator assigned
Check the role is scoped to the correct AU (not tenant-wide)
Ensure the groups are members of the AU
PIM elevation may be required — check if role is eligible vs. active

# Check role assignments for a user
$user = Get-MgUser -Filter "userPrincipalName eq 'admin@tamu.edu'"
Get-MgRoleManagementDirectoryRoleAssignment -Filter "principalId eq '$($user.Id)'" | 
    Select-Object RoleDefinitionId, DirectoryScopeId

Group not appearing in AU

Symptoms:

Group exists but is not in the AU
Admin cannot manage a group they should have access to

Solution:

Add the group to the AU:

$au = Get-MgDirectoryAdministrativeUnit -Filter "displayName eq 'AU-CLEN'"
$group = Get-MgGroup -Filter "displayName eq 'DSG - CLEN - Managed Workstations'"

$memberParams = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/groups/$($group.Id)"
}

New-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $au.Id -BodyParameter $memberParams

Cannot create AU (insufficient permissions)

Symptoms:

Error when trying to create an AU
"Insufficient privileges" message

Solution:

Only Privileged Role Administrator or Global Administrator can create AUs
Contact Platform Engineering to create the AU

Scope Groups & Naming — Group naming conventions
Custom RBAC Roles — Intune RBAC roles
Workstation Onboarding — Full onboarding process
Microsoft Docs: Administrative Units — Official documentation