Introduction to Azure Active Directory Administrative  Units

Play Introduction to Azure Active Directory Administrative Units

The Discussion

  • User profile image

    Why Administrative Units and not just use Groups?

  • User profile image

    Good point. But think about it. Groups are security principals. They are the entity that is granted or denied access to a certain resource. A group is granted read access to a file. A group is denied access to the payroll file and so on.

    Admin Units are the resources. They are closer in equivalence to the files in the above example. Sure you put users in them and they are a container in that respect, but they aren't security principals.

    Then we get in to the age-old argument about "yeah, but seeing as they are containers (or more accurately, they are lists), they are a bit like groups, so why don't you just modify the system so that groups can be both resources and security principals. That way, there'd be no need to think about yet another container-type".

    But of course that would require fundamental changes to the underlying system and the way it's been set out architecturally from first principles. Maybe we could have a special type of group that only has the properties of a resource, not of a security principal. Well, luckily - that's effectively what an Admin Unit is. But I get your point, on the surface it seems like inventing something that's already been invented. But hopefully this explains why it's not like that.

  • User profile image


       Thanks for the Video.  Quick question, Is this essentially being able to delegate permissions for an administrative activity (or group of activities) to a Administrative unit?  Is this like delegating permissions to OU's in  AD DS?

    The only difference I can see, users can belong to multiple admin units groups where in AD DS you cannot belong to multiple OU's.  Did i get that right?  Its just 365's way to delegate permissions.  Can you point out the big differences between the two.

    Also is it possible to assign or delegate permissions from a Synchronized Active directory forest to Azure Administrative Units? 


    Edit: Grammar

  • User profile image


    To answer your first two question - yes, provided when you say "administrative activity" that is synonymous with administrative role. Yes, it is somewhat like delegating permissions over OUs in AD DS.

    To answer your third question - that is one of the most obvious differences. To explain further, AUs in AAD and OUs in AD DS are similar in that they are both used for delegating administrative permissions. In AD DS objects exist in a nested LDAP hierarchy of domains/OUs (as you state, an object can only be in one container). AAD, on the other hand, is a relational directory, so users are related to AUs using membership links, more like membership to a group. In this way, users are linked to AUs but are not contained in them.

    To answer your forth question - not today, though it is something we are looking into supporting in a future release.


    Best regards,

    Vince Smith

  • User profile image

    Is this an AD Premium feature? If so, do all users need to be licensed as AD premium users?

  • User profile image
    Pinesh Patel

    Good video,

    question, we have OU in AD and we have delegated permissions to the user per OU for the Administration.. is there a way to get OU Objects and add them to AU?

  • User profile image
    Luis Chavez

    Great video, is there a way to automatically update the member in AU when a new account is created/deleted? If not, can we add groups to AUs so that their members are part of the AUs?


Add Your 2 Cents