entra-docs/docs/identity/role-based-access-control/admin-units-faq-troubleshoot.yml at 1563e3688d9131f52fa7185a51db5162f7cdb6b3 · MicrosoftDocs/entra-docs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
### YamlMime:FAQ
metadata:
  title: "Administrative units troubleshooting and FAQ"
  description: Investigate administrative units to grant permissions with restricted scope in Microsoft Entra ID.
  ms.topic: faq
  ms.date: 10/29/2024
  ms.reviewer: anandy
  ms.custom: oldportal;it-pro;

title: "Microsoft Entra administrative units: Troubleshooting and FAQ"
summary: |
  For more granular administrative control in Microsoft Entra ID, you can assign users to a Microsoft Entra role with a scope that is limited to one or more administrative units. For sample PowerShell scripts for common tasks, see [Work with administrative units](/powershell/azure/active-directory/working-with-administrative-units).

sections:
  - name: General
    questions:
      - question: |
          Why am I unable to create an administrative unit?
        answer: |
          You must be assigned at least the [Privileged Role Administrator](permissions-reference.md#privileged-role-administrator) role to create an administrative unit in Microsoft Entra ID. Check to ensure that the user who's trying to create the administrative unit is assigned the *Privileged Role Administrator* role.

      - question: |
          I added a group to an administrative unit. Why are the group members still not showing up there?
        answer: |
          When you add a group to an administrative unit, that doesn't result in all the group's members being added to it. Users must be directly assigned to the administrative unit.

      - question: |
          I just added (or removed) a member of the administrative unit. Why is the member not showing up (or still showing up) on the user interface?
        answer: |
          Sometimes, the addition or removal of one or more members of an administrative unit might take a few minutes to be reflected on the **Administrative units** pane. Alternatively, you can go directly to the associated resource's properties and see whether the action has been completed. For more information about members in administrative units, see [List users, groups, or devices in an administrative unit](admin-units-members-list.md).

      - question: |
          I am a delegated Password Administrator on an administrative unit. Why am I unable to reset a specific user's password?
        answer: |
          As an administrator of an administrative unit, you can reset passwords only for users who are assigned to your administrative unit. Make sure that the user whose password reset is failing belongs to the administrative unit to which you've been assigned. If the user belongs to the same administrative unit but you still can't reset the user's password, check the roles that are assigned to the user.

          To prevent an elevation of privilege, an administrative unit-scoped administrator can't reset the password of a user who's assigned to a role with an organization-wide scope.

      - question: |
          Why are administrative units necessary? Couldn't we have used security groups as the way to define a scope?
        answer: |
          Security groups have an existing purpose and authorization model. A *User Administrator*, for example, can manage membership of all security groups in the Microsoft Entra organization. The role might use groups to manage access to applications such as Salesforce. A *User Administrator* shouldn't be able to manage the delegation model itself, which would be the result if security groups were extended to support "resource grouping" scenarios.

          Administrative units, such as organizational units in Windows Server Active Directory, are intended to provide a way to scope administration of a wide range of directory objects. Security groups themselves can be members of resource scopes. Using security groups to define the set of security groups that an administrator can manage could become confusing.

      - question: |
          What does it mean to add a group to an administrative unit?
        answer: |
          Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but **not** the members of the group. For more information, see [Administrative units in Microsoft Entra ID](administrative-units.md#groups).

      - question: |
          Can a resource (user, group, or device) be a member of more than one administrative unit?
        answer: |
          Yes, a resource can be a member of more than one administrative unit. The resource can be managed by all organization-wide and administrative unit-scoped administrators who have permissions over the resource.

      - question: |
          Are administrative units available in B2C organizations?
        answer: |
          No, administrative units aren't available for B2C organizations.

      - question: |
          Are nested administrative units supported?
        answer: |
          No, nested administrative units aren't supported.

      - question: |
          Are administrative units supported in PowerShell and the Microsoft Graph API?
        answer: |
          Yes. You'll find support for administrative units in [PowerShell cmdlet documentation](/powershell/module/azuread/) and [sample scripts](/powershell/azure/active-directory/working-with-administrative-units).

          Find support for the [administrativeUnit resource type](/graph/api/resources/administrativeunit) in Microsoft Graph.

  - name: Dynamic administrative units
    questions:
      - question: |
          I just saved a rule for dynamic membership groups for an administrative unit, but I don't see any users populated yet.
        answer: |
          The initial update of an administrative unit can take a few minutes depending on your tenant size and the current Microsoft Entra ID load.

      - question: |
          After creating a rule for dynamic membership groups in the Microsoft Entra admin center using the rule builder and attempting to save, I get the error "Failed to update administrative unit properties".
        answer: |
          This usually means there's a problem with the supplied property values. Confirm that the property values you have supplied have a proper value type (Boolean, string, or string collection). For more information, see the allowed values for each operator for [users](~/identity/users/groups-dynamic-membership.md#supported-properties) or [devices](~/identity/users/groups-dynamic-membership.md#rules-for-devices).

          This error can also result if a person without a Microsoft Entra ID P1 license attempts to save an update to the administrative unit.

      - question: |
          How can I add a single member to an administrative unit in addition to the current rule for dynamic membership groups?
        answer: |
          To add a single user, add an appropriate expression with the `OR` query operator to the rule for dynamic membership groups.

      - question: |
          I am a Privileged Role Administrator, but I can't add or remove members for an administrative unit.
        answer: |
          When an administrative unit has been configured for dynamic membership groups, you must edit the rules for dynamic membership groups to change membership.

      - question: |
          How many administrative units with rules for dynamic membership groups can I create in a tenant?
        answer: |
          The total number of dynamic membership groups and dynamic administrative units combined cannot exceed 15,000.

      - question: |
          Is there a limit to the number of characters in a rule for dynamic membership groups?
        answer: |
          Yes. 3,072 characters.

      - question: |
          Can I create administrative units with rules for dynamic membership groups in the Microsoft 365 admin center?
        answer: |
          No.

  - name: Restricted management administrative units
    questions:
      - question: |
          I am the owner of a group that is a member of a restricted management administrative unit. How are my permissions affected?
        answer: |
          As an owner of a protected group, you won't be able to manage it just based on ownership. Managing protected resources currently require a role to be assigned at the restricted management administrative unit scope of the protected resource.
      - question: |
          How are my Microsoft 365 resources affected by using restricted management administrative units?
        answer: |
          Currently, securing Microsoft Entra resources in restricted management administrative units is supported. Resources managed outside of Microsoft Entra ID aren't supported.
      - question: |
          I'm unable to modify a member of a restricted management administrative unit.
        answer: |
          The user, group, or device is a member of restricted management administrative unit. Management rights are limited to administrators scoped to that administrative unit.

additionalContent: |

  ## Next steps

  - [Restrict scope for roles by using administrative units](administrative-units.md)
  - [Create or delete administrative units](admin-units-manage.md)