🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Azure AD

How to Audit Administrative Units in Microsoft 365

Is managing user permissions in Microsoft 365 becoming overwhelming? Administrative units (AUs) help to streamline access management across departments and roles. Thus, auditing AUs is crucial for maintaining security and compliance to ensure that only authorized users access sensitive resources. This guide offers efficient methods to audit administrative units which enhance access control and reduce security risks in your organization.

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Using Microsoft Purview Compliance Portal

Microsoft 365 Permission Required
View-only Audit Logs Role Least Privilege
Global Admin Most Privilege
  • Log in to the Microsoft 365 Purview portal.
  • Navigate to the Audit log search tab under Solutions.
  • Customize the date and time range if required.
  • In the Admin Units drop down, select the desired administrative unit to view the related operations.
Using Microsoft Purview Compliance Portal

Here, you can view all operations like creation, deletion, changes to the admin unit, role assignments, and more that have been performed on the selected admin unit.

Using Windows PowerShell

Microsoft 365 Permission Required
View-only Audit Logs Role Least Privilege
Global Admin Most Privilege
  • Connect to the Exchange Online PowerShell module using the cmdlet below.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Run the below PowerShell cmdlet to get all Microsoft 365 administrative unit operations. Replace 'MM/DD/YYYY' with respective StartDate and EndDate as per your requirement.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -StartDate MM/DD/YYYY -EndDate MM/DD/YYYY -RecordType AzureActiveDirectory | Where-Object { $_.Operations -like "*Administrative Unit*" }
Using Windows PowerShell
AdminDroid Azure AD Auditing

Effortlessly Audit Administrative Unit Operations with AdminDroid's Insightful Reports

AdminDroid’s Azure AD auditing tool makes it easy to track administrative unit operations like created AUs, deleted AUs, updated AUs, etc., with dedicated reports. Quickly monitor changes to enhance security and ensure compliance within your organization.

Get Alerted of Every Administrative Unit Creation in Entra ID

Get notified on the added administrative units with AdminDroid's advanced alerting feature. This ensures that no unauthorized additions occur, helping you maintain security by controlling admin access effectively.

Visualize the AU Operations with AI-powered Charts

Use AdminDroid's AI-induced graphical charts to easily visualize AU operations and quickly identify areas requiring attention for better decision-making.

Manage the Administrative Units with Ease Through Exports

With AdminDroid's exporting functionality, you can export reports on administrative units in your preferred format, such as CSV, HTML, PDF, etc., to track and manage AUs within your organization.

Audit Admin Activity to Strengthen Administrative Unit Access Control

Since AUs provide admin access, auditing admin activity is crucial to prevent privilege misuse and ensure proper access control.

Tailor the AU Report to Meet Your Specific Needs

Use AdminDroid's advanced column customization to track data precisely with granular options like admin role, user type, management roles, and more.

Enhance Internal Auditing Through Effective Scheduling

Schedule the all AU operations report weekly with intelligent filters to access the previous week’s AU activities for internal auditing.

AdminDroid's Azure AD management tool equips you with robust features to effectively manage and monitor administrative units. It enables detailed tracking of changes within AUs which ensures better control over user and resource management.

Explore a full range of reporting options
Download Live Demo

Important Tips

Review AU membership changes to identify any unauthorized additions or removals within administrative units.

Analyze deleted administrative units in Microsoft 365 to ensure compliance and recover critical data where necessary.

Enforce least privilege with Entra ID Administrative Units to protect sensitive data and systems from cyber threats.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints when auditing administrative units in Microsoft 365.

Error Failed to update administrative unit properties

au-properties-update-error

This typically indicates an issue with the property values provided. The error may also occur if someone without a Microsoft Entra ID P1 license attempts to save changes to the administrative unit.

Fix Ensure the supplied property values match the correct data types (e.g., Boolean, string, or string collection). Double-check and update any incorrect values to resolve the issue.

Error Audit log search argument startDate (12/12/2024 12:00:00 AM) is later than endDate (03/08/2024 12:00:00 AM)

This error indicates that the startDate specified in the audit log search command is set to a later date than the endDate, which is not logically possible for a time-bound search.

Fix Ensure that the start date is earlier than the end date.

Error Search duration is too long. Please select a date range of less than 6 months.

This error occurs while performing an audit log search in Microsoft Purview portal if the selected date and time range exceed the limit.

Fix In Microsoft Purview, audit logs can only be retained for a maximum of 180 days. So, you need to give a time range within this period.
Azure AD
Frequently Asked Questions

Identify Administrative Unit Operations to Strengthen Access Control in Microsoft 365

What are the best scenarios for using Administrative Units in Microsoft 365? 
Why choose Administrative Units in Entra ID over Microsoft 365 groups for defining administrative scope?
How to assign admin roles to Administrative Units in Microsoft 365 using dynamic membership?
What are restricted management Administrative Units, and how do they work in Microsoft 365? 

1. What are the best scenarios for using Administrative Units in Microsoft 365? 

Administrative units (AUs) in Azure AD allow organizations to group users and resources based on specific criteria. This allows granular control over administrative tasks in Microsoft 365. Use administrative units to limit role scopes to ensure users access only the necessary resources while following the least privilege principle.

The least privilege principle is a security best practice that ensures users have only the minimum access necessary to perform their tasks. AUs make it easier to implement this principle by allowing administrators to restrict access to only the resources users need.

Administrative units (AUs) in Microsoft 365 can be utilized in the following scenarios:

  • Delegating Administrative Permissions: Leverage AUs to assign administrative tasks to specific departments or groups within your organization. This eliminates the need to grant global admin rights which limits access and responsibility to a specific set of users or resources.

  • Large Organizations with Multiple Regions: For organizations with branches or teams in various locations, AUs simplify the management of users, devices, and resources by region. This leads to more organized and secure administration.

  • Regulatory Compliance and Segregation: AUs provide a solution for businesses looking to segregate duties or restrict access to sensitive data by roles or departments. They provide granular permissions that align with these requirements.

  • Improved Security Control: Utilizing AUs enables you to restrict admin access to specific organizational units which minimizes the risk of unintended changes.

By leveraging administrative units in these ways, you can unlock their full potential. Still unsure how administrative units can benefit your organization? Here's a sample scenario to provide further clarity.

If an organization has offices in Seattle and Dallas, each with its own helpdesk, it may face challenges without administrative units (AUs). For instance, helpdesk staff in Dallas might be able to reset passwords for Seattle users. By using AUs, you can assign administrative rights specific to each office. This ensures that helpdesk teams manage users only within their own locations, without affecting the rest of the organization.

2. Why choose Administrative Units in Entra ID over Microsoft 365 groups for defining administrative scope?

Microsoft 365 administrative units and groups are both used to organize and manage resources within a tenant. However, they serve distinct purposes in defining administrative permission scopes.

Delegated Administration:

  • Administrative units allow IT admins to delegate specific administrative roles over defined sets of users or resources without giving global admin rights. This is crucial in large organizations where different administrators manage distinct areas (e.g., HR, Sales, or different regions).
  • Microsoft 365 groups are powerful for collaboration which provides access to resources like SharePoint, Teams, and Exchange. However, they don't offer the same granularity in administrative control.

Role-based Access Control (RBAC):

  • AUs allow you to assign role-based access to administrators over a limited scope to ensure they can only manage users, devices, or groups within their unit. This prevents over privilege and enhances security by limiting administrative privileges to specific units or departments.
  • Microsoft 365 groups, however, are mainly used for resource permissions like file sharing or collaboration, not administrative task delegation.

Separation of Management Boundaries:

  • With AUs, organizations can create isolated management zones, where the control over users, devices, or applications is confined to a specific administrative unit. This is particularly useful when multiple business units need control without interference in other areas of the organization.
  • Microsoft 365 groups lack this management boundary control, as their primary purpose is to group users for resource access, not for administrative isolation.

User and Device Management:

  • Administrative units focus on user and device management to help administrators control directory data like resetting passwords, managing device configurations and enforcing compliance policies. These operations are scoped to the AU's defined users and devices.
  • Microsoft 365 groups are designed around collaboration resources (like email distribution, file sharing, and Teams chats) and do not manage directory-level operations.

In summary, both administrative units and Microsoft 365 groups are vital to the Microsoft 365 organization. However, AUs are designed for more granular administrative control, resource management, and policy enforcement. For organizations requiring strict control over administrative access, AUs are the better choice, while Microsoft 365 groups are more effective in collaboration and communication.

3. How to assign admin roles to Administrative Units in Microsoft 365 using dynamic membership?

Dynamic membership rules allow you to automatically add or remove users from administrative units based on predefined criteria. This efficiently automates administrative unit membership and permissions, especially in large organizations with frequent role changes.

Here's a step-by-step guide on how to assign admin roles using administrative units with dynamic membership rules:

  • Navigate to the Microsoft Entra admin center.
  • Go to the Identity»Roles & admins»Admin units.
  • Select the desired Admin Unit for which you need to assign dynamic membership.
  • Navigate to the Properties section.
  • Under Membership Type select Dynamic User or Dynamic device based on your requirements.
  • Now, add the required dynamic query based on your requirements. You can refer to any rule builders to create dynamic membership rules so that you can get an idea of it.
  • Now, save the property by clicking 'Save'.
dynamic-memberships-in-entra-id

Note: Dynamic groups cannot be added to an administrative unit because administrative units do not support dynamic membership.

Monitoring operations related to Dynamic Membership is vital for ensuring that user access aligns with security policies and compliance regulations. By tracking these operations, organizations can quickly identify unauthorized access or policy violations.

Gain complete insights into dynamic membership operations for AUs in Microsoft 365 with AdminDroid reports!

  • Using the 'Group Type -- equal -- Dynamic Membership' in the All AU operations report, you can efficiently monitor these dynamic membership operations to enhance security and resource management.
dynamic-memberships-report-in-admindroid

4. What are restricted management Administrative Units, and how do they work in Microsoft 365? 

Restricted management administrative units enhance security for sensitive accounts in Microsoft Entra ID. Unlike standard AUs, only users with specific roles assigned within a restricted AU can manage it, ensuring strict access control. Even Global Administrators need the appropriate roles to manage these units. This ensures tight access control and compliance with security policies.

Key Requirements:
  • Administrators managing restricted AUs need a Microsoft Entra ID Premium P1/P2 license.
  • Only Global Administrators and Privileged Role Administrators have the authority to create restricted AUs.

Standard vs Restricted Management AUs

Access Control:
  • Standard AUs: Global Admins can manage all resources within the AU without any role-specific restrictions, allowing broader administrative access across the organization.
  • Restricted AUs: Global Admins must be explicitly assigned unit-scoped roles (like User Administrator or Helpdesk Administrator), limiting access based on Role-Based Access Control (RBAC) for tighter security.

Role Restrictions:
  • Standard AUs: Easier for admins to manage roles due to fewer restrictions, suitable for dynamic environments.
  • Restricted AUs: Requires role assignments that are scoped specifically to the administrative unit. Admins can only manage users and resources within their assigned AU, preventing accidental access to other areas.

Impact on Management:
  • Standard AUs: Easier to manage due to fewer restrictions, suitable for environments where broader administrative control is acceptable.
  • Restricted AUs: Requires more careful role assignment and governance, providing stronger protection by limiting who can make changes or access specific resources, especially in highly regulated environments.

When to use restricted management administrative units in Microsoft Entra ID?

Using restricted management is especially beneficial when strict oversight is required to prevent unauthorized access or accidental modifications, making it ideal for large organizations with distributed control.

Example Scenario: In a restricted AU scenario, consider the organization has both New York and Chicago offices. For added security, the New York helpdesk is restricted to managing only VIP users within the New York office, like executives or sensitive accounts. Even if a Global Administrator attempts to manage these accounts, they must first be assigned a role within the restricted AU. This ensures that only authorized personnel with specific roles can manage these high-sensitivity users, enhancing security.

Important Note: Restricted management option has to be enabled at the time of AU creation. Once created, this property cannot be modified.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Azure AD
How to Audit Administrative Units in Microsoft 365
Azure AD Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo