Administrators and Entra ID Administrative Unit (AU)
Administrative Units are designed to provide organizations with a structured approach to managing directory objects, such as user accounts, by segmenting them into more manageable subdivisions. It is possible for user accounts to be simultaneously associated with multiple AUs. For instance, an individual’s user account might be included within one AU dedicated to their specific department, while also being part of a separate unit that corresponds to their country of operation. This dual association allows for nuanced control that aligns with both the geographical and functional aspects of the organization’s operations.
Furthermore, it is possible to designate certain administrators with limited permissions tailored specifically for managing members within their respective units. For instance, AUs can be strategically utilised to allocate the Helpdesk Administrator role to regional support specialists.
Creating an AU and manually incorporating user accounts is a straightforward process. However, leveraging dynamic AUs elevates this simplicity to a new level of efficiency and potency. With dynamic AUs, Entra ID autonomously manages the membership of the unit, dynamically adjusting it in accordance with the defined object properties.
Support for Entra ID Administrative Units in Purview Solutions
After establishing and populating your AUs, you have the flexibility to delegate them to members within Purview compliance role groups. Alternatively, you can directly integrate these units into the configuration of Microsoft Purview Solutions.
Although AUs are supported within several Purview solutions, we will focus on:
- Data Loss Prevention (DLP): Management of DLP policies
- Information Protection (MPIP): Management of sensitivity label publishing policies
The configuration for administrative units seamlessly extends to the following features:
Alerts: DLP alerts are exclusively visible to users within the assigned administrative AUs.
Activity Explorer: Activity events are restricted to visibility only for users within the assigned AUs.
Limiting Scope for Administrators
Microsoft Purview employs a sophisticated system of administrative role groups to delineate the specific capabilities and permissions of each group’s members. In a standard Microsoft 365 tenant configuration, these compliance role groups are granted a broad, organization-wide purview. However, through the use of AUs, administrators can effectively segment the larger organization into more manageable subdivisions. For instance, administrators in Germany are empowered to exclusively devise and administer policies pertaining to German users.
Creating Administrative Units in MS Entra ID
Why use restricted management Administrative Units?
One compelling rationale for employing restricted management within administrative units is the safeguarding of high-profile C-level executive accounts and their associated devices. By implementing such measures, you can create a secure enclave that is excluded from the routine administrative reach of Helpdesk Administrators.
Administrative Units and Microsoft Purview
Note: it can take up to 24 hours before a newly created AU becomes selectable in MS Purview
Data Loss Prevention policies
- When you select the AUs, the options for the location of the policy change
- When choosing users or groups to be in scope only those available in the AU can be selected
Information Protection
Avoid choosing AUs when setting up an auto-labelling policy for SharePoint documents. Since AUs are designed to support only users and groups, utilising them in your auto-labelling policy will prevent you from selecting a SharePoint location.
Licensing
MS Entra ID licensing
- Microsoft Entra ID P1 or P2 license for each AU administrator
- Microsoft Entra ID Free licenses for AU members
Microsoft Purview licensing
- Required for MS Purview administrators assigning AUs. Depending on the solution(s) where used:
- Microsoft 365 E5/A5/G5
- Microsoft 365 E5/A5/G5/F5 Compliance or F5 Security & Compliance
- Microsoft 365 E5/A5/G5/F5 Information Protection & Governance
- Microsoft 365 E5/A5/F5 Insider Risk Management
Feel free to contact us at contact@infotechtion.com if you need any help configuring similar scenarios.