Delegated administration with Azure Active Directory units of administration – News Block

Office 365 comes with a set of admin roles that can be assigned to users within your organization. Each admin role maps to common business functions and gives its users permissions to perform specific tasks in the Office 365 admin center and Windows PowerShell.

This is especially true for large organizations or universities with multiple brands or decentralized management within a single Office 365 tenant, default admin roles can cause headaches. While permission delegation in Exchange Online works great with role-based access control (RBAC), other apps and services are difficult to manage at a granular level. For example, license management or helpdesk for different countries, brands and organizations. In these organizations, only a subset of administrative users can edit properties based on their region or brand.

Azure Active Directory administrative units are a container for resources that can be used to delegate administrative permissions and apply policies to a subset of users. They allow central administrators to delegate permissions based on region, brand, or set policy at a granular level. It simply groups your users into logical units. An administrator will be able to perform various tasks against all users within the scope of an administrative unit.

As of this writing, OUs are still in public preview and the global administrator must be assigned a Premium Azure Active Directory license, while users within OUs need Azure Active Directory Basic licenses. In this preview, only users can be assigned to resources. Once created and populated, the administrative unit can be used as a scope to restrict the permission granted to only the resources contained in the administrative unit. Also, there are only two roles available: user account administrator and Help desk administrator.

Before we can begin, the public preview of the Azure Active Directory module must be installed:

Azure AD preview of installation module
Connect to Azure Active Directory with Office 365 Global Administrator:

This blog post covers three examples of delegated administration for the “User Account Administrator” role for a specific region, “Help Desk Administrator” for users within a specific department, and we’ll assign an Exchange administrator to a specific administrative unit.

The following administrator user accounts are available:

Object ID Display Name User Principal Name User Type
——– ———– ——– ——–
f1851b74-617d-40c9-8943-30ac58e84f48 Dominik Hoefling (at work) Member
6d381b8c-7e16-4601-81ab-79333efb61c6 Dominik Hoefling (Exchange Lab) Member

“Dominik Hoefling (Exchange Lab)” is the user account administrator for the US, Dominik Hoefling (at work)” is the help desk administrator for Germany, and also the Exchange administrator for a certain administrative unit.

Note: There are currently no parameters such as -Department, -Office, or -Country. And there’s no dynamic membership, you have to manually add users to the administrative unit, which also means you have to keep it up to date. The -Country attribute on this blog is only used to easily add members to different administrative units.

user manager

The requirement is to have multiple user account administrators for only a subset of users within a specific region. This example allows the privileged user “Dominik Hoefling (at work)” to manage users located in the US and deny administration to users located in Germany.

Run steps 1 through 5 with a global administrator account:

  1. Enable user account management role:
    $UserServiceAdmin = Get-AzureADDirectoryRoleTemplate | Where-Object {$_.DisplayName -eq “User Account Admin”}
    Enable-AzureADDirectoryRole -RoleTemplateId $UserServiceAdmin.ObjectId
    To get a list of all available role templates, run the Get-AzureADDirectoryRoleTemplate cmdlet.
  2. Create and complete the administrative unit:
    New-AzureADAdministrativeUnit -Description “US region” -Displayname “USA”
  3. Add the user “Andreas Bode (Exchange Lab)”, or all of his US-based users, to the administrative unit:
    $USAU = Get-AzureADAdministrativeUnit -Filter “displayname eq ‘US'”
    $USUsers = Get-AzureADUser -Filter “UserPrincipalName eq ‘'”
    Add-AzureADAdministrativeUnitMember -ObjectId $USAU.ObjectId -RefObjectId $USUsers.ObjectId
  4. Add the US scoped admin user account role member “Dominik Hoefling (Exchange Lab)”:
    $USUserAdmin = Get-AzureADUser -Filter “UserPrincipalName eq ‘'”
    $USUserAdminRoleMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo -Property @{ ObjectId = $USUserAdmin.ObjectId}
    $UAUserAdmin = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq “User Account Admin”}
    Add-AzureADScopedRoleMembership -RoleObjectId $UAUserAdmin.ObjectId -ObjectId $USAU.ObjectId -RoleMemberInfo $USUserAdminRoleMemberInfo
  5. Get a list of US-scoped administrative unit administrators:
    Get-AzureADScopedRoleMembership -ObjectId $USAU.ObjectId | Florida
    Administrative Unit Object ID: 1141b4e9-a721-4331-afed-c669c7dc53d7
    Identification: cB-Eb4FD30G02cIJxg1lyum0QREhpzFDr-3GacfcU9eMGzhtFn4BRoGreTM–2HGU
    Role Object ID: 6f841f70-4381-41df-b4d9-c209c60d65ca
    RoleMemberInfo: class RoleMemberInfo {

Display Name: Dominik Hoefling (Exchange Lab)
Object ID: 6d381b8c-7e16-4601-81ab-79333efb61c6
UserPrincipalName: }

  1. After verifying this, sign in to the Office 365 admin portal with the account “Dominik Hoefling (Exchange Lab)” and see which users and accounts can be managed

swap screenshot

Only members of the administrative unit (step 3) can be viewed and edited with “User Account Administrator” privileges.

The same behavior applies to Windows PowerShell:

Set-AzureADUserPassword -ObjectId “f1851b74-617d-40c9-8943-30ac58e84f48” -Password $password
Set-AzureADUserPassword: An error occurred while executing SetUser
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
Online: 1 Character: 1
+set-AzureADUserPassword -ObjectId “f1851b74-617d-40c9-8943-30ac58e84f…
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo: NotSpecified: (:) (Set-AzureADUserPassword), ApiException
+ Fully qualified bug ID: Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.Graph.PowerShell.Custom.C
mdlet.Set user password

Help Desk Administrator

The requirement is to have multiple help desk administrators for only a subset of users within a specific region. You can perform the same steps to configure the “User Account Manager” administrative unit. If necessary, change the user variables or filter to a different region, country, or any other attribute. You just have to take care of the correct ObjectIds of the administrative unit, the administrator role, and your users.

Exchange Online Delegation

For starters, it is not possible to create other administrative unit administrator roles at the time of writing this article. For example, if you want to add the scoped role membership to “Exchange Service Manager”, you will receive the following error message:

error message code

Hopefully, Microsoft will add administrator roles with more granular privileges in the future.

However, you can scope Exchange Online Role-Based Access Control (RBAC) management roles to an administrative unit. In this example, we use the built-in “Mail Recipients” role and delegate the admin role to admin “Dominik Hoefling (Exchange Lab)” who can manage only US users within the previously created admin unit.

  1. change remote powershell online
  2. Assign the “Mail Recipients” role to the administrative unit:
    New-ManagementRoleAssignment -Role “Mail Recipients” -RecipientAdministrativeUnitScope $USAU.ObjectId -User
  1. The Exchange Lab administrator can only manage mailboxes within the Azure Active Directory administrative unit:
    Swap Lab Screenshot
    Left image: At work (Germany) – cannot edit properties
    Right image: Exchange Lab (US) – Mail Recipients role-based properties can be edited

note the documentation from 07/10/2017 is not correct because the -DirectoryRole parameter does not work, also for the latest AzureAD PowerShell module. Therefore, I grabbed the ObjectId from the DirectoryRoleTemplate and passed it as a string.


Azure Active Directory Administrative Units are a nice step up, but definitely need some more granular privileged admin roles that can be used with other Office 365 applications and workloads (i.e. license management based on different companies and/or countries). For now, you can encompass the built-in roles “User Account Management” and “Help Desk Administrator”). For Exchange Online, you can also span RBAC to administrative units, which means you can cover almost all requirements and workloads at least for Exchange.

Get started with Mailscape 365

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top