🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Audit Administrative Units in Microsoft 365

Is managing user permissions in Microsoft 365 becoming overwhelming? Administrative units (AUs) help to streamline access management across departments and roles. Thus, auditing AUs is crucial for maintaining security and compliance to ensure that only authorized users access sensitive resources. This guide offers efficient methods to audit administrative units which enhance access control and reduce security risks in your organization.

Native Solution

Microsoft 365 Permission Required

High
Least Privilege

View-only Audit Logs Role

Highest Privilege

Global Admin

Option 1 Using Microsoft Purview Compliance Portal

  • Log in to the Microsoft 365 Purview portal.
  • Navigate to the Audit log search tab under Solutions.
  • Customize the date and time range if required.
  • In the Admin Units drop down, select the desired administrative unit to view the related operations.
Using  Microsoft Purview Compliance Portal

Here, you can view all operations like creation, deletion, changes to the admin unit, role assignments, and more that have been performed on the selected admin unit.

Option 2 Using Windows PowerShell

  • Connect to the Exchange Online PowerShell module using the cmdlet below.
  • Windows PowerShell Windows PowerShell
     Connect-ExchangeOnline
  • Run the below PowerShell cmdlet to get all Microsoft 365 administrative unit operations. Replace 'MM/DD/YYYY' with respective StartDate and EndDate as per your requirement.
  • Windows PowerShell Windows PowerShell
     Search-UnifiedAuditLog -StartDate MM/DD/YYYY -EndDate MM/DD/YYYY -RecordType AzureActiveDirectory | Where-Object { $_.Operations -like "*Administrative Unit*" } 
Using Windows PowerShell
AdminDroid Solution
This report and 150+ more reports are under free editionFREE

AdminDroid Permission Required

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

ad
  • Log in to the AdminDroid Office 365 reporter.
  • Navigate to the All Administrative Units' Operations report under the Audit»Azure AD»AU audit.
Using AdminDroid

Gain insights into your administrative units by tracking key activities like member changes and unit updates to strengthen access control and prevent unauthorized access.

administrative-units-operation-graph
  • Leverage AdminDroid’s advanced charts to visualize AU modification counts and types which helps you optimize access control and improve security management within your tenant.

Easily Track Administrative Unit Operations in Microsoft 365!

Monitor administrative unit activities with AdminDroid to ensure proper user assignments, align permissions with organizational policies, and prevent unauthorized changes.

Witness the report in action using the

Azure ADIdentify Administrative Unit Operations to Strengthen Access Control in Microsoft 365

Showing 1 of 4

What are the best scenarios for using Administrative Units in Microsoft 365? 

Administrative units (AUs) in Azure AD allow organizations to group users and resources based on specific criteria. This allows granular control over administrative tasks in Microsoft 365. Use administrative units to limit role scopes to ensure users access only the necessary resources while following the least privilege principle.

The least privilege principle is a security best practice that ensures users have only the minimum access necessary to perform their tasks. AUs make it easier to implement this principle by allowing administrators to restrict access to only the resources users need.

Administrative units (AUs) in Microsoft 365 can be utilized in the following scenarios:

  • Delegating Administrative Permissions: Leverage AUs to assign administrative tasks to specific departments or groups within your organization. This eliminates the need to grant global admin rights which limits access and responsibility to a specific set of users or resources.

  • Large Organizations with Multiple Regions: For organizations with branches or teams in various locations, AUs simplify the management of users, devices, and resources by region. This leads to more organized and secure administration.

  • Regulatory Compliance and Segregation: AUs provide a solution for businesses looking to segregate duties or restrict access to sensitive data by roles or departments. They provide granular permissions that align with these requirements.

  • Improved Security Control: Utilizing AUs enables you to restrict admin access to specific organizational units which minimizes the risk of unintended changes.

By leveraging administrative units in these ways, you can unlock their full potential. Still unsure how administrative units can benefit your organization? Here's a sample scenario to provide further clarity.

If an organization has offices in Seattle and Dallas, each with its own helpdesk, it may face challenges without administrative units (AUs). For instance, helpdesk staff in Dallas might be able to reset passwords for Seattle users. By using AUs, you can assign administrative rights specific to each office. This ensures that helpdesk teams manage users only within their own locations, without affecting the rest of the organization.

Why choose Administrative Units in Entra ID over Microsoft 365 groups for defining administrative scope?

Microsoft 365 administrative units and groups are both used to organize and manage resources within a tenant. However, they serve distinct purposes in defining administrative permission scopes.

Delegated Administration:

  • Administrative units allow IT admins to delegate specific administrative roles over defined sets of users or resources without giving global admin rights. This is crucial in large organizations where different administrators manage distinct areas (e.g., HR, Sales, or different regions).
  • Microsoft 365 groups are powerful for collaboration which provides access to resources like SharePoint, Teams, and Exchange. However, they don't offer the same granularity in administrative control.

Role-based Access Control (RBAC):

  • AUs allow you to assign role-based access to administrators over a limited scope to ensure they can only manage users, devices, or groups within their unit. This prevents over privilege and enhances security by limiting administrative privileges to specific units or departments.
  • Microsoft 365 groups, however, are mainly used for resource permissions like file sharing or collaboration, not administrative task delegation.

Separation of Management Boundaries:

  • With AUs, organizations can create isolated management zones, where the control over users, devices, or applications is confined to a specific administrative unit. This is particularly useful when multiple business units need control without interference in other areas of the organization.
  • Microsoft 365 groups lack this management boundary control, as their primary purpose is to group users for resource access, not for administrative isolation.

User and Device Management:

  • Administrative units focus on user and device management to help administrators control directory data like resetting passwords, managing device configurations and enforcing compliance policies. These operations are scoped to the AU's defined users and devices.
  • Microsoft 365 groups are designed around collaboration resources (like email distribution, file sharing, and Teams chats) and do not manage directory-level operations.

In summary, both administrative units and Microsoft 365 groups are vital to the Microsoft 365 organization. However, AUs are designed for more granular administrative control, resource management, and policy enforcement. For organizations requiring strict control over administrative access, AUs are the better choice, while Microsoft 365 groups are more effective in collaboration and communication.

How to assign admin roles to Administrative Units in Microsoft 365 using dynamic membership?

Dynamic membership rules allow you to automatically add or remove users from administrative units based on predefined criteria. This efficiently automates administrative unit membership and permissions, especially in large organizations with frequent role changes.

Here's a step-by-step guide on how to assign admin roles using administrative units with dynamic membership rules:

  • Navigate to the Microsoft Entra admin center.
  • Go to the Identity»Roles & admins»Admin units.
  • Select the desired Admin Unit for which you need to assign dynamic membership.
  • Navigate to the Properties section.
  • Under Membership Type select Dynamic User or Dynamic device based on your requirements.
  • Now, add the required dynamic query based on your requirements. You can refer to any rule builders to create dynamic membership rules so that you can get an idea of it.
  • Now, save the property by clicking 'Save'.
dynamic-memberships-in-entra-id

Note: Dynamic groups cannot be added to an administrative unit because administrative units do not support dynamic membership.

Monitoring operations related to Dynamic Membership is vital for ensuring that user access aligns with security policies and compliance regulations. By tracking these operations, organizations can quickly identify unauthorized access or policy violations.

Gain complete insights into dynamic membership operations for AUs in Microsoft 365 with AdminDroid reports!

  • Using the 'Group Type -- equal -- Dynamic Membership' in the All AU operations report, you can efficiently monitor these dynamic membership operations to enhance security and resource management.
dynamic-memberships-report-in-admindroid

What are restricted management Administrative Units, and how do they work in Microsoft 365? 

Restricted management administrative units enhance security for sensitive accounts in Microsoft Entra ID. Unlike standard AUs, only users with specific roles assigned within a restricted AU can manage it, ensuring strict access control. Even Global Administrators need the appropriate roles to manage these units. This ensures tight access control and compliance with security policies.

Key Requirements:
  • Administrators managing restricted AUs need a Microsoft Entra ID Premium P1/P2 license.
  • Only Global Administrators and Privileged Role Administrators have the authority to create restricted AUs.

Standard vs Restricted Management AUs

Access Control:
  • Standard AUs: Global Admins can manage all resources within the AU without any role-specific restrictions, allowing broader administrative access across the organization.
  • Restricted AUs: Global Admins must be explicitly assigned unit-scoped roles (like User Administrator or Helpdesk Administrator), limiting access based on Role-Based Access Control (RBAC) for tighter security.

Role Restrictions:
  • Standard AUs: Easier for admins to manage roles due to fewer restrictions, suitable for dynamic environments.
  • Restricted AUs: Requires role assignments that are scoped specifically to the administrative unit. Admins can only manage users and resources within their assigned AU, preventing accidental access to other areas.

Impact on Management:
  • Standard AUs: Easier to manage due to fewer restrictions, suitable for environments where broader administrative control is acceptable.
  • Restricted AUs: Requires more careful role assignment and governance, providing stronger protection by limiting who can make changes or access specific resources, especially in highly regulated environments.

When to use restricted management administrative units in Microsoft Entra ID?

Using restricted management is especially beneficial when strict oversight is required to prevent unauthorized access or accidental modifications, making it ideal for large organizations with distributed control.

Example Scenario: In a restricted AU scenario, consider the organization has both New York and Chicago offices. For added security, the New York helpdesk is restricted to managing only VIP users within the New York office, like executives or sensitive accounts. Even if a Global Administrator attempts to manage these accounts, they must first be assigned a role within the restricted AU. This ensures that only authorized personnel with specific roles can manage these high-sensitivity users, enhancing security.

Important Note: Restricted management option has to be enabled at the time of AU creation. Once created, this property cannot be modified.

AdminDroid Azure AD Auditing Effortlessly Audit Administrative Unit Operations with AdminDroid's Insightful Reports

AdminDroid’s Azure AD auditing tool makes it easy to track administrative unit operations like created AUs, deleted AUs, updated AUs, etc., with dedicated reports. Quickly monitor changes to enhance security and ensure compliance within your organization.

A Quick Summary

Get Alerted of Every Administrative Unit Creation in Entra ID

Get notified on the added administrative units with AdminDroid's advanced alerting feature. This ensures that no unauthorized additions occur, helping you maintain security by controlling admin access effectively.

Visualize the AU Operations with AI-powered Charts

Use AdminDroid's AI-induced graphical charts to easily visualize AU operations and quickly identify areas requiring attention for better decision-making.

Manage the Administrative Units with Ease Through Exports

With AdminDroid's exporting functionality, you can export reports on administrative units in your preferred format, such as CSV, HTML, PDF, etc., to track and manage AUs within your organization.

Audit Admin Activity to Strengthen Administrative Unit Access Control

Since AUs provide admin access, auditing admin activity is crucial to prevent privilege misuse and ensure proper access control.

Tailor the AU Report to Meet Your Specific Needs

Use AdminDroid's advanced column customization to track data precisely with granular options like admin role, user type, management roles, and more.

Enhance Internal Auditing Through Effective Scheduling

Schedule the all AU operations report weekly with intelligent filters to access the previous week’s AU activities for internal auditing.

AdminDroid's Azure AD management tool equips you with robust features to effectively manage and monitor administrative units. It enables detailed tracking of changes within AUs which ensures better control over user and resource management.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Common Errors and Resolution Steps While Auditing Microsoft 365 Administrative Unit Operations

The following are the possible errors and troubleshooting hints when auditing administrative units in Microsoft 365.

Error: Failed to update administrative unit properties

au-properties-update-error

This typically indicates an issue with the property values provided. The error may also occur if someone without a Microsoft Entra ID P1 license attempts to save changes to the administrative unit.

Troubleshooting hint :Ensure the supplied property values match the correct data types (e.g., Boolean, string, or string collection). Double-check and update any incorrect values to resolve the issue.

Error: Audit log search argument startDate (12/12/2024 12:00:00 AM) is later than endDate (03/08/2024 12:00:00 AM)

This error indicates that the startDate specified in the audit log search command is set to a later date than the endDate, which is not logically possible for a time-bound search.

Troubleshooting hint :Ensure that the start date is earlier than the end date.

Error: Search duration is too long. Please select a date range of less than 6 months.

This error occurs while performing an audit log search in Microsoft Purview portal if the selected date and time range exceed the limit.

Troubleshooting hint :In Microsoft Purview, audit logs can only be retained for a maximum of 180 days. So, you need to give a time range within this period.