GOV-08: Administrative Unit Boundaries
Overview
In a flat tenant, any admin with a directory role can manage every user. A Helpdesk Administrator scoped to the whole tenant can reset the password of a finance director or a fellow administrator. That is far more reach than most delegated admins need, and it turns a single compromised helpdesk account into a tenant-wide risk.
Administrative units create delegation boundaries. An administrative unit is a container of users, groups, or devices, and you scope a role assignment to that unit so the admin can only manage members inside it. A regional IT lead manages only their region; a department admin manages only their department. Restricted management administrative units go further: they prevent even higher-privileged, tenant-level admins from managing the unit's members except through the unit's own scoped roles, which protects sensitive populations such as executives or break-glass accounts.
This control assesses whether administrative boundaries are in place. The expected state is:
- Administrative units are configured for delegated administration.
- Restricted management is enabled for sensitive units.
- Admin scope is limited to their designated units.
Control ID: GOV-08 Category: Governance & Hygiene Baseline Level: Level 2 (Enhanced Security) Severity: Low License Required: Microsoft Entra ID P1. Restricted management administrative units also require P1.
This is an advisory, manual control. Administrative units reflect your organizational structure, so TrueConfig reports whether they are configured but the units, memberships, and scoped role assignments must be designed and created by an administrator.
Prerequisites
Required Roles
- Privileged Role Administrator - Can create administrative units and assign scoped roles
- Global Administrator - Full access, use only when a scoped role is not available
Required Licenses
- Microsoft Entra ID P1 for the administrators who receive scoped role assignments
Pre-Configuration Requirements
- Map your delegation model. Decide the boundaries that matter (region, department, subsidiary) and which admins should be scoped to each.
- Identify sensitive populations that warrant restricted management, such as executives, VIP accounts, or emergency access accounts.
- Decide membership type. Units can have manually assigned members or, with the right licensing, dynamic membership rules based on user attributes.
Time Estimate
| Task | Duration |
|---|---|
| Design the delegation model | 1-2 hours |
| Create administrative units | 15-30 minutes each |
| Assign members (manual or dynamic) | 15-45 minutes each |
| Assign scoped roles and test | 30-60 minutes |
Step-by-Step Instructions
Step 1: Create an Administrative Unit
- Navigate to the Microsoft Entra admin center (https://entra.microsoft.com).
- Go to Identity > Roles & admins > Administrative units.
- Click Add.
- Provide a name and description that reflect the boundary (for example, "AU-EMEA-Users").
- For a sensitive population, set Restricted management administrative unit to Yes on the properties step so tenant-level admins cannot manage its members outside the unit's scoped roles.
- Click Create.
Step 2: Add Members
Choose how members are populated:
- Assigned membership: add specific users, groups, or devices manually.
- Dynamic membership: define a rule (for example,
user.department -eq "Finance") so membership stays current automatically as attributes change.
Add the members that fall within this unit's boundary.
Step 3: Assign Scoped Roles
- Open the administrative unit and go to Roles and administrators.
- Select the role to delegate (for example, User Administrator or Helpdesk Administrator).
- Add the admin who should manage only this unit.
The admin now holds that role scoped to the unit's members only, not the whole directory.
Connect-MgGraph -Scopes "AdministrativeUnit.ReadWrite.All", "RoleManagement.ReadWrite.Directory"
# Create an administrative unit
$au = New-MgDirectoryAdministrativeUnit -DisplayName "AU-EMEA-Users" -Description "EMEA user delegation boundary"
# Add a member
New-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $au.Id -BodyParameter @{
"@odata.id" = "https://graph.microsoft.com/v1.0/users/<user-object-id>"
}
Step 4: Verify the Boundary Holds
- Sign in as the scoped admin (or use a test account with the scoped role).
- Confirm they can manage members inside their unit.
- Confirm they cannot manage users outside the unit.
- For restricted management units, confirm that a tenant-level admin without a unit-scoped role cannot modify the unit's members.
Verification Checklist
- A delegation model is documented (which boundaries exist and who administers each).
- Administrative units are created for each delegation boundary.
- Sensitive populations use restricted management administrative units.
- Members are assigned (manually or via dynamic rules).
- Roles are assigned scoped to the unit, not tenant-wide.
- Scoped admins can manage only their unit's members (verified by testing).
- TrueConfig reflects that administrative units are configured for GOV-08.
Troubleshooting
Issue: A scoped admin can still manage users outside their unit
Cause: The admin also holds the same role assigned at tenant scope, which overrides the narrower scope.
Solution:
- Review the admin's role assignments.
- Remove any tenant-wide assignment of the same role so only the unit-scoped assignment remains.
Issue: Dynamic membership rule is not populating the unit
Cause: The rule syntax is incorrect, the attribute is not populated on user accounts, or licensing for dynamic membership is missing.
Solution:
- Validate the rule against a known user's attributes.
- Confirm the source attribute (for example,
department) is set on the accounts. - Allow time for the rule to evaluate after creation.
Issue: A tenant admin unexpectedly cannot manage certain accounts
Cause: Those accounts are in a restricted management administrative unit, which is working as designed.
Solution:
- This is expected. Management of restricted units flows only through the unit's scoped roles.
- Grant the admin a scoped role on the unit if they legitimately need access, or perform the change as a member of the unit's assigned administrators.
Cost Considerations
Administrative units require Microsoft Entra ID P1 for the administrators who receive scoped role assignments. Restricted management administrative units require P1 as well.
- Licensing scope. The P1 requirement applies to the delegated administrators, not to every managed user. Most organizations on Business Premium, E3, or E5 already have P1.
- Design effort. The main cost is the one-time work of mapping the delegation model and creating units. Dynamic membership reduces ongoing maintenance by keeping units current automatically.
- Return. Scoped administration enforces least privilege for delegated admins and limits the blast radius of a compromised helpdesk or user admin account. Restricted management adds a strong protection layer around executives and break-glass accounts.
Because of the P1 requirement and the design effort involved, GOV-08 is a Level 2 control.
Related Controls
- PA-02: Use Dedicated Admin Accounts (separate admin identities from daily-use accounts)
- GOV-06: Entitlement Management (govern access provisioning)
- GOV-07: Audit Privileged Role Assignments (baseline and monitor who holds roles)