GOV-08LowEnhanced Security
Administrative Unit Boundaries
Governance & Hygiene control for Microsoft 365 and Entra ID
Why This Control Matters
Without administrative boundaries, any admin with sufficient permissions can manage all users. Administrative units create delegation boundaries, and restricted management prevents higher-privileged admins from overriding unit-scoped administrators.
Expected State
When this control is compliant, your tenant should meet these criteria:
- 1Administrative units are configured for delegated administration
- 2Restricted management is enabled for sensitive units
- 3Admin scope is limited to their designated units
Enforcement
Default Mode
Advisory
Alerts on deviations but does not make changes
Auto-Remediation
Manual Only
Administrative units require manual configuration in Entra ID
Ready to implement this control?
TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.