Azure AD Administrative Units in Exchange Online

Administrative Units in Azure AD are a useful method for delegating permissions to administrators to perform specific tasks over a group or subset of users.

For example, a University may have separate schools, faculties and business units with a requirement to delegate administrative control to allow administrators to manage only user accounts within their faculty.

The administrative units that are created in Azure AD can be used to set delegated administrative permissions within Exchange Online. In this example, I will be delegating control of users with a Department of Merlus by adding those users to an Administrative Unit, then assigning a role and administrators.

Create Azure AD Administrative Unit

When reviewing the documentation for administrative units https://docs.microsoft.com/en-us/azure/active-directory/active-directory-administrative-units-management , it refences cmdlets using the Azure AD V2 PowerShell module.

I downloaded the latest V2 version, and could not find some of these cmdlets. To implement I used the Azure AD MSOL PowerShell modules, which appear to be pretty much the same.

The following cmdlet will create the administrative unit:

After the Administrive Unit has been created in Azure AD, you can view that it has been synchronised and available to use in Exchange Online using the following command:

Add managed members to Administrative Unit

The next step is to add the members that are to be managed to the administrative unit. In this example, it will be users that have a department of Merlus.

The following commands will add the required users to the administrative unit in Azure AD:

After the user has been added to the administrative unit in Azure AD, you can check the mailbox in Exchange Online and see that the property AdministrativeUnits matches the objectID, that shows that the user is part of the administrative unit.

Delegate administrative role using Administrative Unit scope

The final step is to create the management role assignment and scope it to the administrative unit recipient scope. In the example, we are using the built in “Mail Recipients” role and delegating the admin role to a specific user, but you could use any role and also assign the permission to a security group.

After this has been set, our administrator will be able to manage recipients that exist within the administrative unit only. Our test user Make Pole, was added to the administrative unit and we can set the mailbox delegation permissions.

However, another user who was not added to the unit we are not able to manage the mailbox permissions (no + icon to add).