Restricted Administrative Units Protect Sensitive User Accounts and Security Groups

Following up on its announcement of the wonders promised by the renaming of Azure AD to Microsoft Entra ID, Microsoft released the preview of Entra ID Restricted Administrative Units, a type of administrative unit designed to protect sensitive user accounts, devices, and security groups from unfettered access by tenant administrators. Microsoft describes three scenarios when they think this capability is useful:

• Protect user accounts for people such as senior executives so that accounts holding regular administrative roles cannot perform tasks such as resetting passwords for those accounts.
• Enable country-level administration for specific user accounts and security groups.
• Restrict the ability to update the membership of security groups that protect sensitive data.

It’s worth noting that restrictions apply within Entra ID. Administrators can continue to process updates to mailbox properties such as adjusting the primary SMTP address of mailboxes owned by accounts within restricted administrative units.

Creating a Restricted Administrative Units

Creating a restricted administrative group is simple. Go to the Microsoft Entra admin center, access the administrative units blade, and add a new unit. Make sure that the Restricted management administrative unit option is set to Yes (Figure 1).

You can’t switch a normal administrative unit to restricted after creation, nor can you do the reverse and remove the restricted scope to make a restricted administrative unit “normal” once it’s created.

Management Roles for Restricted Administrative Units

Next, just like a regular administrative unit, you assign management roles. The difference is that Entra ID scopes these roles to the administrative unit, so you should assign appropriate roles that you consider necessary to manage the accounts and security groups (Microsoft 365 groups and distribution lists are unsupported) that are members of the administrative unit. For instance, if you want country-level management for user accounts, you’d assign administrators from that country to the User administrator role.

Figure 2 shows the final point in the creation wizard, and you can see that two roles assignments exist for the restricted administrative unit. Administrators of restricted administrative units require A Microsoft Entra ID P1 licenses.

Microsoft’s documentation includes more detail, including some limits and restrictions.

Restricted Administrative Units in Action

The nice thing about restricted administrative unit is that accounts assigned global (full directory) roles cannot override the scoping that restricts management access to the administrative unit. Take the situation where a global administrator attempts to update the job title of an account that’s a member of a restricted administrative unit. The Microsoft Entra admin center blocks access to editing account properties (Figure 3).

And if the administrator tries to circumvent the block with PowerShell by running the Update-MgUser cmdlet, the operation fails with an insufficient privileges error:

Update-MgUser -UserId Rene.Artois@office365itpros.com -JobTitle "Cafe Owner and Resistence Hero"

update-mguser : Insufficient privileges to complete the operation. Target object is a member of a restricted management administrative unit and can only be modified by administrators scoped to that administrative unit. Check that you are assigned a role that has permission to perform the operation for this restricted management administrative unit. Learn more: https://go.microsoft.com/fwlink/?linkid=2197831
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied

Of course, global administrators can solve their problem by removing the account from the restricted administrative unit, updating the account properties, and putting them back into the unit. However, these actions create audit records that might be difficult for the administrator to explain.

Remember that individual user accounts can be members of multiple administrative units. For example, my account could be a member of four administrative units, two of which are restricted. In this situation, holders of roles assigned to either of the restricted administrative units can manage my account.

New and Useful Scoping Mechanism

Restricted administrative units offer another way to scope responsibilities for account, device, and security group management. I suspect the lack of support for Microsoft 365 groups is because of the number of associated workloads that can connect to these groups. Not supporting distribution groups is also unsurprising given their affiliation with Exchange Online. The likelihood is that large enterprises will be most interested in the functionality, but it’s open to all tenants with the necessary licenses.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Use Entra ID Administrative Units to Scope Compliance Administrator Responsibilities

In a development designed to give complex organizations extra flexibility in managing Purview solutions, Entra ID (Azure AD) administrative units can now be used to assign segregated responsibility for policy management. This feature is available in information protection and data loss prevention, and now (Microsoft 365 message center notification MC541152 (13 Apr 2023, Microsoft 365 roadmap item 117354) data lifecycle management (retention and label policies). The functionality is in preview and is expected to roll out in June 2023. For now, the functionality is only available in commercial tenants.

Limiting Scope for Administrators

Microsoft Purview uses administrative role groups to define what the members of each group can do. Each role group has a set of one or more roles to break down the scope of what an administrator can do into smaller tasks. For instance, the compliance administrator role group includes roles like “compliance search” (needed to run eDiscovery searches) and “retention management” (needed to work with retention labels and policies).

The default situation for a Microsoft 365 tenant is that compliance role groups have an organization-wide scope. In other words, once someone is in a role group, they can use the roles assigned to the group to perform administrative operations across the entire organization. This approach works well for small to medium organizations. It becomes less satisfactory as the size and complexity of organizations grow. For instance, a company might have IT administrators based in separate countries or assigned to handle work for different departments or operating units. In these situations, it might not be appropriate to have an administrator whose primary focus is dealing with French operations handle retention policies for German accounts.

Administrators and Entra ID Administrative Units

Administrative units allow an organization to logically organize directory objects into smaller units for management purposes. User accounts can be in multiple administrative units. For example, a user account could be in an administrative unit for their department and another for their country.

It’s very easy to create an administrative unit and add user accounts to it manually. It’s even easier and more powerful to use dynamic administrative units where Entra ID maintains the membership of the administrative unit based on object properties. And once you set up and populate the administrative units, you can assign them to members of Purview compliance role groups. In Figure 1, two members of the role group can work across the organization while the other three are limited to one or more administrative units.

Entra ID Administrative Units and Adaptive Scopes

Data lifecycle management already has adaptive scopes, introduced in late 2021. Adaptive scopes allow organizations to target specific users, groups, and sites based on certain properties like a user’s country or department. It seems like an overlap might exist here but that’s not the case. Administrative units are all about limiting what an administrator can do when managing policies. Adaptive scopes are all about limiting the scope of processing when background jobs come to process the policies.

Looking back to Figure 1, Jessica Chen is an administrator whose limit is defined by the United States administrative unit. Any retention policy created by Jessica can only apply to accounts within that administrative unit. Figure 2 shows how to scope a retention policy to an administrative unit.

By contrast, my account is scoped for the organization, meaning that the policies I work with apply to everyone in the organization. Remember, an account can come within the scope of multiple retention policies, including Exchange Online mailbox retention polices and individual items can have retention labels. The background jobs which apply policies follow principles of retention to decide how to resolve the retention requirements for items.

Behind the scenes, the introduction of administrative units into the mix means that the background jobs (like the Exchange Managed Folder Assistant and the Retention assistant) make sure that a policy scoped to administrative units is not applied to accounts that are not in those administrative units.

One way of thinking about this is that all data lifecycle management use adaptive scopes and that the background jobs enforce the scopes when they run. In terms of flexibility, scoping runs from least adaptive to most adaptive:

• Organization-wide with static locations (the default, available in Office 365 E3)..
• Organization-wide with adaptive locations (requires Office 365 E5).
• Administrative-unit with static locations.
• Administrative unit with adaptive locations.

Policies that use administrative units only process locations (like a mailbox) belonging to the administrative unit even if administrators add other locations to the policy.

Support for Entra ID Administrative Units in Other Purview Solutions

Administrative unit support is available in the following Microsoft Purview solutions:

• Data Loss Prevention (DLP): Management of DLP policies, including restricting the visibility of DLP alerts to administrators.
• Information Protection: Management of sensitivity label publishing policies. This includes the ability to see label actions in the Activity Explorer.

Licensing

To use administrative units, you need Entra ID Premium P1 licenses for every account in an administrative unit. Given that Enterprise Mobility and Security (EMS) now has 250 million users, the large enterprises likely to want to use administrative units have these licenses.

To assign administrative units to Purview administrators, you need (Microsoft 365 E5/A5, Microsoft 365 E5/A5/F5 Compliance and F5 Security & Compliance, or Microsoft 365 E5/A5/F5 Information Protection & Governance) licenses for each administrator. This requirement is as surprise as usually Office 365 E5 is sufficient to cover advanced functionality.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.