AZ-104 Azure Identity - Creating Administrative Units

Administrative Units for Entra ID

An administrative unit is a Microsoft Entra resource that can be a container for other Microsoft Entra resources. An administrative unit can contain only users, groups, or devices.

Constraints

Administrative units can't be nested.
Administrative units are currently not available in Microsoft Entra ID Governance.

Groups

Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group. In other words, an administrator scoped to the administrative unit can manage properties of the group, such as group name or membership, but they cannot manage properties of the users or devices within that group (unless those users and devices are separately added as members of the administrative unit).

For example, a User Administrator scoped to an administrative unit that contains a group can and can't do the following:

Permissions	Can do
Manage the name of the group	✅
Manage the membership of the group	✅
Manage the user properties for individual members of the group	❌
Manage the user authentication methods of individual members of the group	❌
Reset the passwords of individual members of the group	❌

Plan the organization

Plan the organization and evaluate its needs to determine the value that administrative units can provide for managing identities like groups and users.

Crate and Administrative Unit

Create an administrative unit to logically divide the organization and allow for scoping.

Purpose of administrative units: An Azure AD resource for providing a container for Azure AD Objects.
Benefits of Administrative units: Allow you to control the scope of your administrative users.

Azure Entra ID Mindmap

Azure Youtube Videos

AZ-104 - Administration - Azure Resource Manager

AZ-104 - Administration - Azure Portal and Cloud Shell Basics

AZ-104 - Administration - Azure CLI and Powershell

AZ-104 - Administration - Azure ARM Templates

AZ-104 - Governance and Compliance - Managing Subscriptions

AZ-104 - Governance and Compliance - Using management groups

AZ-104 - Governance and Compliance - Understanding Azure Policy

AZ-104 - Governance and Compliance - Tagging Resources

AZ-104 - Governance and Compliance - LAB Add Remove Tags

AZ-104 - Governance and Compliance - Locking and Moving Resources

AZ-104 - Governance and Compliance - Managing Azure Costs

AZ-104 - Governance and Compliance - Building a cloud governance strategy wth Azure tooling

AZ-104 Azure Identity - Conceptualizing Entra ID (Azure Active Directory)

AZ-104 Azure Identity - Managing Tenants

AZ-104 Azure Identity - Creating and Managing Users

AZ-104 Azure Identity - LAB Create and Manage Microsoft Entra ID Users in the Portal

AZ-104 Azure Identity - LAB Perform Bulk Microsof Entra ID Operations in the Portal

AZ-104 Azure Identity - Creating and Managing Groups

AZ-104 Azure Identity - Creating Administrative Units

AZ-104 Azure Identity - Configuring SSPR (self serfice password reset)

AZ-104 Azure Identity - Azure Entra ID Device Management

AZ-104 Azure RBAC - Understanding Roles in Azure

AZ-104 Azure RBAC - Assigning access to resources

AZ-104 Azure RBAC - LAB Using service Principal Identity to List AD Roles

AZ-104 Azure RBAC - Creating custom roles

AZ-104 Azure - Storage Accounts

AZ-104 Azure - Conceptualizing Azure Blog Storage

AZ-104 Azure - Configuring blob object replication

AZ-104 Azure - Configuring Blob Lifecycle Management

AZ-104 Azure Identity - Creating Administrative Units

Constraints

Groups

Plan the organization

Crate and Administrative Unit

No Comments