Azure Entra Administrative units

Ijaz Muhammad 81 Reputation points
2024-06-25T07:09:05.42+00:00

I have created an administrative unit for external guest users and added a few external guest users.

From the users, I have chosen a user and assigned the user admin role.

My requirement is that this external admin user will be able to manage these users in this administrative unit. This admin user should be able to manage user creation for this administrative unit. Will this work like that?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,511 questions
{count} votes

Accepted answer
  1. Sandeep G-MSFT 16,691 Reputation points Microsoft Employee
    2024-06-26T06:55:11.82+00:00

    @Ijaz Muhammad

    Thank you for posting this in Microsoft Q&A.

    As I understand you have an administrative unit created in Entra. You have multiple guest users from different organizations. Now you want one user from one entity to manage this administrative unit in terms of adding users or managing users.

    This is possible. All you have to do is to assign a "user administrator role" to any one of the guest users within administrative unit scope.

    Account with user admin role can manage all aspects of users and groups, including resetting passwords for limited admins within the assigned administrative unit only. Cannot currently manage users' profile photographs.

    When a Microsoft Entra role is assigned at the scope of an administrative unit, role permissions apply only when managing members of the administrative unit itself, and don't apply to tenant-wide settings or configurations.

    For example, an administrator who is assigned the User Administrator role at the scope of an administrative unit can manage groups that are members of the administrative unit, but they can't manage other users in the tenant. They also can't manage tenant-level settings related to users, such as expiration or group naming policies.

    Since we are talking about user administrator role, you can make this role eligible for role assignment in PIM. Once this is done you can assign this role to any of the users within this administrative unit for managing other guest users.

    You can follow below article for the same,

    https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-assign-roles

    Also, you can refer below article to get more information regarding administrative units,

    https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units

    Note: Make sure you are meeting all the pre-requisites to implement this in your environment.

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful