Restricted management administrative units in Microsoft Entra ID (Preview)
Important
Restricted management administrative units are currently in PREVIEW. See the Product Terms for legal terms that apply to features that are in beta, preview, or otherwise not yet released into general availability.
Restricted management administrative units allow you to protect specific objects in your tenant from modification by anyone other than a specific set of administrators that you designate. This allows you to meet security or compliance requirements without having to remove tenant-level role assignments from your administrators.
Why use restricted management administrative units?
Here are some reasons why you might use restricted management administrative units to help manage access in your tenant.
- You want to protect your C-level executive accounts and their devices from Helpdesk Administrators who would otherwise be able to reset their passwords or access BitLocker recovery keys. You can add your C-level user accounts in a restricted management administrative unit and enable a specific trusted set of administrators who can reset their passwords and access BitLocker recovery keys when needed.
- You're implementing a compliance control to ensure that certain resources can only be managed by administrators in a specific country. You can add those resources in a restricted management administrative unit and assign local administrators to manage those objects. Even Global Administrators won't be allowed to modify the objects unless they assign themselves explicitly to a role scoped to the restricted management administrative unit (which is an auditable event).
- You're using security groups to control access to sensitive applications in your organization, and you don't want to allow your tenant-scoped administrators who can modify groups to be able to control who can access the applications. You can add those security groups to a restricted management administrative unit and then be sure that only the specific administrators you assign can manage them.
Note
Placing objects in restricted management administrative units severely restricts who can make changes to the objects. This restriction can cause existing workflows to break.
What objects can be members?
Here are the objects that can be members of restricted management administrative units.
Microsoft Entra object type | Administrative unit | Administrative unit with restricted management setting enabled |
---|---|---|
Users | Yes | Yes |
Devices | Yes | Yes |
Groups (Security) | Yes | Yes |
Groups (Microsoft 365) | Yes | No |
Groups (Mail enabled security) | Yes | No |
Groups (Distribution) | Yes | No |
What types of operations are blocked?
For administrators not explicitly assigned at the restricted management administrative unit scope, operations that directly modify the Microsoft Entra properties of objects in restricted management administrative units are blocked, whereas operations on related objects in Microsoft 365 services aren't affected.
Operation type | Blocked | Allowed |
---|---|---|
Read standard properties like user principal name, user photo | ✅ | |
Modify any Microsoft Entra properties of the user, group, or device | ❌ | |
Delete the user, group, or device | ❌ | |
Update password for a user | ❌ | |
Modify owners or members of the group in the restricted management administrative unit | ❌ | |
Add users, groups, or devices in a restricted management administrative unit to groups in Microsoft Entra ID | ✅ | |
Modify email and mailbox settings in Exchange for the user in the restricted management administrative unit | ✅ | |
Apply policies to a device in a restricted management administrative unit using Intune | ✅ | |
Add or remove a group as a site owner in SharePoint | ✅ |
Who can modify objects?
Only administrators with an explicit assignment at the scope of a restricted management administrative unit can change the Microsoft Entra properties of objects in the restricted management administrative unit.
User role | Blocked | Allowed |
---|---|---|
Global Administrator | ❌ | |
Tenant-scoped administrators (including Global Administrator) | ❌ | |
Administrators assigned at the scope of restricted management administrative unit | ✅ | |
Administrators assigned at the scope of another restricted management administrative unit of which the object is a member | ✅ | |
Administrators assigned at the scope of another regular administrative unit of which the object is a member | ❌ | |
Groups Administrator, User Administrator, and other role assigned at the scope of a resource | ❌ | |
Owners of groups or devices added to restricted management administrative units | ❌ |
Limitations
Here are some of the limits and constraints for restricted management administrative units.
- The restricted management setting must be applied during administrative unit creation and can't be changed once the administrative unit is created.
- Groups in a restricted management administrative unit can't be managed with Microsoft Entra ID Governance features such as Microsoft Entra Privileged Identity Management or Microsoft Entra entitlement management.
- Role-assignable groups, when added to a restricted management administrative unit, can't have their membership modified. Group owners aren't allowed to manage groups in restricted management administrative units and only Global Administrators and Privileged Role Administrators (neither of which can be assigned at administrative unit scope) can modify membership.
- Certain actions might not be possible when an object is in a restricted management administrative unit, if the required role isn't one of the roles that can be assigned at administrative unit scope. For example, a Global Administrator in a restricted management administrative unit can't have their password reset by any other administrator in the system, because there's no admin role that can be assigned at the administrative unit scope that can reset the password of a Global Administrator. In such scenarios, the Global Administrator would need to be removed from the restricted management administrative unit first, and then have their password reset by another Global Administrator or Privileged Role Administrator.
- When deleting a restricted management administrative unit, it can take up to 30 minutes to remove all protections from the former members.
Programmability
Applications can't modify objects in restricted management administrative units by default. To grant an application access to manage objects in a restricted management administrative unit, you must assign a Microsoft Entra role to the application at the scope of the restricted management administrative unit. If you assign Microsoft Graph application permissions to the application, those permissions won't apply because it's restricted.
License requirements
Restricted management administrative units require a Microsoft Entra ID P1 license for each administrative unit administrator, and Microsoft Entra ID Free licenses for administrative unit members. To find the right license for your requirements, see Comparing generally available features of the Free and Premium editions.