Microsoft Entra delegated administration architecture

Microsoft Entra Administrative Units Design Guide

Delegate identity operations to the right administrators, over the right users, groups, and devices, without confusing a scoped role boundary with a tenant partition or a complete Microsoft 365 security perimeter.

Scoped rolesAssigned or dynamic membershipRestricted managementWorkflow testingRecovery authority
Microsoft Entra administrative units architecture with scoped administrator keys, separate user group and device zones, restricted management enclave, blocked tenant-wide path, and evidence records
Administrative units scope supported Entra roles to selected directory objects; restricted management adds a stronger, intentionally disruptive protection boundary.

Design objective

Delegate a precise management task—not a vague region, department, or support title

An administrative unit is a container used to scope supported Microsoft Entra role permissions to selected directory objects. It can help a school, region, subsidiary, business unit, executive-support team, or device-operations team manage only the users, groups, or devices in its responsibility.

The unit does not create a separate tenant, security boundary for every Microsoft 365 service, network boundary, or automatic ownership model. A role assigned at administrative-unit scope applies to supported operations on objects in the unit; it does not automatically grant control of the administrative-unit object itself or every resource related to those members.

Critical scope nuance: adding a group places the group object in scope—not its members. A scoped Groups Administrator may manage that group when the role supports the action, but the users inside it are not thereby members of the administrative unit.

Minimum architecture record

  • Unit name, object ID, business purpose, owners, backup owners, and review date
  • Standard or restricted mode, immutable choices, member types, and membership method
  • Every scoped role, assignee, eligibility/activation model, approval, and emergency authority
  • Supported and unsupported tasks, Microsoft 365 dependencies, automation, and known workflow conflicts
  • Test identities, evidence, alerting, removal process, failback, and residual risk

Scope the object

Inventory the exact users, groups, or devices that operations must manage. Avoid using organizational labels without a source and lifecycle.

Scope the role

Select the least-privileged built-in or custom role that supports the required action at administrative-unit scope.

Prove the task

Test allowed and denied actions from the administrator’s real portals, Graph clients, automation, and Microsoft 365 workflows.

Architecture choices

Separate standard delegation, dynamic population, and restricted management

ModelBest fitImportant boundaryEvidence
Assigned standard unitUsers, groups, and devices are added through an approved workflow.Membership is manual or automated externally; role permissions remain limited to supported scoped operations.Member register, requester, approver, administrator assignments, task tests, and removal evidence.
Dynamic user unitA governed user attribute reliably maps the operational boundary.Dynamic membership owns additions/removals; users require appropriate P1 coverage; groups cannot be included.Rule, attribute authority/write control, validation samples, processing state, count history, and fallback.
Dynamic device unitDevice attributes define a support or management population.Only device attributes can be referenced; user and device objects cannot be mixed in one dynamic unit.Graph samples, join/registration state, duplicate/stale handling, validation, and device-lifecycle owner.
Restricted management unitSelected executives, sensitive security groups, or devices require protection from tenant-scoped administrators.Restriction is chosen at creation and cannot be changed; workflows can break; only explicitly scoped administrators modify protected Entra properties.Threat model, supported object/role matrix, recovery administrators, workflow tests, alerts, audit records, and approval.
Licensing: Microsoft requires Entra ID P1 or P2 for each administrative-unit administrator. Assigned members need Entra ID Free; dynamic administrative units require P1/P2 coverage for each unique user member. Confirm the current agreement before deployment.

Membership and role semantics

Map every object, assignee, role, and downstream action explicitly

QuestionWhat to verifyCommon false assumptionControl
Who is in scope?Direct user, group-object, and device membership; overlaps; dynamic rules; disabled/stale objects.A group’s members inherit administrative-unit membership.Export member object IDs and types; compare them with the intended support population.
Who can act?Direct or group-based scoped role assignees, activation, approval, MFA, device, location, and emergency path.A unit owner or descriptive contact automatically has management authority.Record role-assignment IDs, principal IDs, scope IDs, dates, approver, and authentication controls.
What can they do?Exact role actions supported at administrative-unit scope in Entra portal, Graph, PowerShell, and connected workflows.Every action in the role is scope-aware, or every Microsoft 365 admin portal honors the same boundary.Build a positive/negative task matrix and test with a nonprivileged pilot administrator.
What overlaps?Members in multiple units, multiple scoped roles, tenant-wide roles, restricted units, and inherited group assignment.The narrowest scope overrides broader permission. Effective access is generally cumulative.Calculate effective roles and test against an in-scope and out-of-scope control object.

Supported-task matrix

Test create, read, update, reset, add/remove member, device action, authentication-method, group, license, and recovery tasks individually.

Denied-task matrix

Use control objects outside the unit and prove the scoped administrator cannot act on them through every supported interface.

Dependency matrix

Record help-desk, HR, sync, Graph, automation, Exchange, Teams, SharePoint, Intune, PIM, and governance dependencies.

Restricted management

Use the hardened boundary only after proving that operations and recovery will still work

What it protects

  • Direct modification of protected users, devices, and supported security-group properties in Microsoft Entra
  • Objects from tenant-scoped administrators unless they receive an explicit role at the restricted-unit scope
  • Executive accounts, sensitive security groups, or devices where broad help-desk or group administration is unacceptable
  • Auditable self-assignment by a Global Administrator or Privileged Role Administrator when recovery is required

What it does not guarantee

  • Protection of related objects and actions in every Microsoft 365 service
  • Support for Microsoft 365, mail-enabled security, or distribution groups as restricted members
  • Compatibility with PIM for Groups, entitlement management, lifecycle workflows, or access reviews for protected users/groups
  • That every needed action has a role available at administrative-unit scope
Immutable decision: restricted management must be enabled when the administrative unit is created and cannot later be changed. Treat the choice as an architecture and recovery decision, not a simple security toggle.

Deployment lifecycle

Pilot delegation with real tasks, control objects, and a tested recovery path

Stage 1

Discover

Inventory roles, operators, objects, workflows, portals, APIs, licensing, governance, and existing tenant-wide privilege.

Stage 2

Design

Choose standard/restricted and assigned/dynamic models; document purpose, membership, task matrix, and recovery.

Stage 3

Build

Create the unit, add pilot objects, assign the minimum role, configure approval/activation, and preserve identifiers.

Stage 4

Validate

Test allowed tasks, denied out-of-scope tasks, automation, Microsoft 365 workflows, logging, and emergency reassignment.

Stage 5

Operate

Monitor membership and roles, review overlaps, attest owners, remove stale access, retest workflows, and retain evidence.

Failback: preserve member and scoped-role exports before every change. For a standard unit, remove or roll back scoped assignments and membership safely. For restricted units, ensure a Global Administrator or Privileged Role Administrator can make an auditable scoped recovery assignment—never rely on an unavailable former administrator.

Top risks and common misconfigurations

Block designs that broaden privilege, misstate scope, or strand protected objects

Administrative units reduce scope only when membership, roles, interfaces, and recovery are all verified.

Unit treated as a tenant boundary

Teams assume every Microsoft 365 service and related object automatically honors the unit.

Group members assumed in scope

Adding a group scopes the group object, not the users inside it.

Overprivileged role

A broad role is scoped without testing whether a narrower role or custom role supports the task.

Tenant role defeats intent

The same operator retains tenant-wide privilege, so the scoped assignment does not reduce effective access.

Dynamic rule trusts weak data

A self-writable, delayed, incomplete, or inconsistent attribute controls the support boundary.

Restricted mode enabled casually

An immutable setting breaks help-desk, governance, automation, or recovery workflows.

No out-of-scope test

Only successful in-scope actions are tested; unauthorized reach remains undiscovered.

Unsupported role/action

Architecture assumes every built-in role and task can be assigned at unit scope.

Recovery principal missing

The last restricted-unit administrator leaves and no documented authority can restore operations.

Evidence and operations

Make delegated administration reviewable after every personnel, membership, or workflow change

Minimum evidence package

  • Unit settings, standard/restricted flag, membership type, IDs, description, owners, and creation record
  • Member export with object types, source, rule, add/remove timestamps, overlaps, and exceptions
  • Scoped role definitions and assignments, principals, eligibility/activation, approval, MFA, and dates
  • Positive and negative task results from portals, Graph, PowerShell, automation, and related services
  • Audit-log queries, alerts, findings, recovery test, remediation, residual risk, and next review

Review cadence

  • Daily or alert-driven review for role assignment, membership, restricted-unit, and failed workflow changes
  • Monthly reconciliation of scoped administrators, object membership, overlaps, tenant-wide roles, and owners
  • Quarterly attestation of business purpose, role necessity, denied-task tests, automation, licensing, and recovery
  • Event-driven review after reorganization, merger, new region, HR attribute change, administrator departure, or service change
Scope accuracyIntended versus actual users, groups, devices, overlaps, stale objects, and exceptions.
Privilege qualityScoped versus tenant-wide roles, standing versus eligible access, approvals, and stale assignees.
Task outcomeAllowed-task success, denied-task enforcement, workflow failures, escalations, and time to complete.
Recovery readinessBackup authority, last recovery test, audit visibility, time to restore, and open defects.

Authoritative resources

Use current Microsoft documentation for every scoped role and restricted workflow

Does an administrative unit isolate a business unit like a separate tenant?

No. It scopes supported Microsoft Entra role permissions to selected directory objects. It does not create a separate tenant or automatically isolate every related Microsoft 365 resource and service.

Does adding a group also place its users in the administrative unit?

No. The group object becomes a member and enters scope; its users do not inherit administrative-unit membership simply because they belong to that group.

Can an administrative unit contain users, groups, and devices?

An assigned standard unit can contain those object types. A dynamic unit targets users or devices, not both, and dynamic membership for groups is not supported.

Can restricted management be enabled later?

No. The restricted setting is selected when the unit is created and cannot be changed. Design, workflow, licensing, and recovery validation must occur before creation.

Can a Global Administrator modify an object in a restricted unit?

Not merely through the tenant-wide role. A Global Administrator or Privileged Role Administrator can manage the restricted unit and make an explicit scoped assignment, including to themselves, which is auditable.

What is the safest way to validate scoped delegation?

Use a pilot administrator, in-scope objects, and out-of-scope control objects. Test each required and prohibited task through every real portal, API, PowerShell, automation, and related service, then preserve results.

IT Perfection Microsoft 365 identity operations

Delegate Entra administration without losing accountability or recovery

IT Perfection helps organizations in Irvine, Orange County, Los Angeles County, and Southern California design administrative units, right-size scoped roles, validate boundaries, test restricted workflows, document evidence, and preserve a practical failback path.

Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience.

This guide is for initial planning and operational guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, Microsoft licensing review, legal/compliance review, or tested change-management process.