Create Azure AD Administrative Units

Azure AD Administrative Units are a great way to manage access. You can create a new Azure AD Administrative Unit in just a few steps and then add user accounts to it.

This will allow you to easily manage who has access, and when they have access. It’s a great way to control who has the ability to modify objects in the directory, so you don’t have to give administrative privileges out in a hurry!

Azure AD Administrative Units are Azure AD hierarchical data collections. These data collections allow you to organize users, groups, and company assets in a way that best meets your requirements for security, governance, or compliance.

The great selling point of Administrative Units is that we no longer need to give administrators administrative rights to all the users in the org. We can now let specific users administration right over a group of users.

Create Azure Ad Administrative Units

You can create a unit from the Azure AD portal by clicking on Administrative units.

Note: To manage users within an Azure AD Administrative Unit, the users that get the administrative role will Azure AD P1 licence. The users that are managed need the Azure AD Free licence.

Let’s go ahead and create a unit and start with a name. In my case, I am going to create a unit that will hold all my users in the Asia region and will assign a user to manage them using the User Administrator role.

From the Assign roles page, I will assign the User administrator role.

From the Add assignment section, I will search for the user that will be the administrator and finish the wizard.

Below you can see the unit is ready and all I have to do is click on in and add users.

Using the Add member I will add users.


Azure AD Administrative Units is a new feature that helps you manage access permissions to Azure resources by assigning a specific set of Azure AD administrative units to a user or group. You can use these units to configure permissions for a particular resource, such as limiting access to the resource to only those people who are members of a particular Azure Active Directory security group, and different units can control permissions for different resources. Controlling access with Azure AD Administrative Units gives you more flexibility in how you set up access permissions for your organization’s resources.