# AZ-104 Azure Identity - Creating Administrative Units

- [ ] [Administrative Units for Entra ID](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units)

An administrative unit is a Microsoft Entra resource that can be a container for other Microsoft Entra resources. An administrative unit can contain only users, groups, or devices.

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/238p43KyBQXLlhUv-image.png)

## Constraints

- Administrative units can't be nested.
- Administrative units are currently not available in [Microsoft Entra ID Governance](https://learn.microsoft.com/en-us/entra/id-governance/identity-governance-overview).

## Groups

Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but **not** the members of the group. In other words, an administrator scoped to the administrative unit can manage properties of the group, such as group name or membership, but they cannot manage properties of the users or devices within that group (unless those users and devices are separately added as members of the administrative unit).

For example, a [User Administrator](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#user-administrator) scoped to an administrative unit that contains a group can and can't do the following:

<table aria-label="Table 1" class="table table-sm margin-top-none" id="bkmrk-permissions-can-do-m"><thead><tr><th>Permissions</th><th>Can do</th></tr></thead><tbody><tr><td>Manage the name of the group</td><td>✅</td></tr><tr><td>Manage the membership of the group</td><td>✅</td></tr><tr><td>Manage the user properties for individual **members** of the group</td><td>❌</td></tr><tr><td>Manage the user authentication methods of individual **members** of the group</td><td>❌</td></tr><tr><td>Reset the passwords of individual **members** of the group</td><td>❌</td></tr></tbody></table>

#### Plan the organization

Plan the organization and evaluate its needs to determine the value that administrative units can provide for managing identities like groups and users.

#### Crate and Administrative Unit

Create an administrative unit to logically divide the organization and allow for scoping.

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/Y9wGsKyaTBR2jeSP-image.png)

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/YbELeX4NwQo0PsRx-image.png)

![image.png](https://wiki.tinod.net/uploads/images/gallery/2024-02/scaled-1680-/SACtD8r1hy8PzIL9-image.png)

- Purpose of administrative units: An Azure AD resource for providing a container for Azure AD Objects.
- Benefits of Administrative units: Allow you to control the scope of your administrative users.