Splitting User Management by Geo-Location in a Single Microsoft Entra ID Tenant

Question

Our organization operates under a single Microsoft Entra ID (Azure AD) tenant, where all users reside. We have a requirement to logically separate users based on their geo-location (India and Israel) while keeping them under the same tenant and domain.

Key Requirements:

1. Separation of Users: Users should be grouped into two distinct sets (India & Israel) without creating a new tenant or domain.
2. Independent Administration: Each region should have its own admin(s) who can manage only their respective users.
3. No Cross-Access: Admins of one region must not have access to users or resources of the other region.
4. Common Parent Organization: The structure should allow for an overall governance layer, but day-to-day management should remain independent for each region.

Is it possible to achieve this setup within a single Entra ID tenant? If so, what would be the best approach to enforce this separation using Entra ID or any other recommended method?

Looking forward to expert suggestions. Thanks in advance!

Answer 1

Hello Gnrgy,

Question: Splitting User Management by Geo-Location in a Single Microsoft Entra ID Tenant

Best Approach:

You can accomplish the configuration you outlined in a single Microsoft Entra ID tenant by utilizing Role-Based Access Control (RBAC) and Azure AD Administrative Units (AUs) to accomplish restricted access, administrative autonomy, and logical user separation.

Check this: Detailed Explanation https://www.youtube.com/watch?v=LNVbdsp0_Y8

Administrative Units (AUs) help you logically organize users, groups, and devices within a single Azure AD tenant. For example, you can set up distinct AUs for India and Israel, grouping users according to their geographic location.

AUs offer a way to isolate users and resources within the same tenant without requiring the creation of separate domains or tenants.

Create two Administrative Units: one for India and another for Israel.

Assign users to the appropriate AU based on their geographical location.

Within each AU, manage resources such as users, groups, and devices specific to that region.

Role-Based Access Control (RBAC) allows you to assign region-specific administrative roles to users within the AUs.

You can create custom roles with limited access to specific AUs, allowing admins to manage only users and resources within their designated region.

At the parent level, Entra ID Privileged Identity Management (PIM) can be used to set up a comprehensive governance layer by auditing and managing privileged roles, ensuring that elevated access is properly controlled and monitored.

This enables centralized governance and control over the tenant, while allowing day-to-day management to remain separate and independent for each region.

Refer Public Documents: Role-based-access-control
Admin-units-restricted-management
Administrative-units

Also, refer Q&A articles:
Q&A - Article 1
Q&A - Article 2
Q&A - Article 3
Q&A - Article 4

I hope this clarifies things. Please contact us if you have any additional questions over comment section.

Please remember to "Accept Answer", so that others in the community facing similar issues can easily find the answers.

Answer 2

Administrative units are what Microsoft provides in terms of built-in functionality to address such scenarios, the answer above gives you a good summary. It does not however mention some of the limitations of AUs and the built-in RBAC model, namely the limited number of admin roles and operations supported, and the lack of support across some of the Microsoft 365 workloads. Whether those will be issues for you depends on the details of your desired implementation, and the footprint you have across various Microsoft 365 workloads.

The alternative is to use third-party "portal replacement" type of products, which basically serve as the admin plane for the segregated organizations. The downside if that those come at a cost, and add another layer in the picture.