Admin Units in Microsoft Entra and Microsoft Purview

Posted on August 8, 2024

Today, I want to introduce you to something rather technical but important to understand. What I am talking about is the Admin Units feature available within Microsoft Entra (formerly known as Azure Active Directory). I specifically want to mention Admin Units because they play an essential role in Microsoft Purview when setting up Retention Policies.

Now, I want to clarify that this will not be a technical or thorough article about Admin Units and how to set them up. My expertise is in SharePoint, not Microsoft Entra. Microsoft has published some fantastic guides about this feature, which I will reference in this post. However, you need to understand how it works and how it might help your organization. Let’s proceed.

What is Microsoft Entra ID?

Microsoft Entra is a tool that is an integral part of Microsoft 365 that manages the technical side of things within Microsoft 365. This is where your IT Team manages the following aspects:

Users/Roles
Security Groups and Distribution Lists
Devices and various policies
Authentication methods
And many, many other aspects

Microsoft Entra is primarily used and accessible by your IT Team or IT/MSP Provider. By the way, it was called Azure AD up until recently; Microsoft Entra ID is just a new name.

Adminunitspurview7

At a fundamental level, say you hired a new employee. The first thing done by the IT – they set up that user within Microsoft Entra and assign various roles/security groups that control access of that user to various SharePoint sites, applications, servers, and devices. All the basic information about the user (name, roles, title, location) is controlled within Entra and is utilized by other applications within Microsoft 365 (i.e., SharePoint).

What are Admin Units?

This brings us to the Admin Units. Until recently, it was all or nothing regarding access and management within Microsoft Entra. And that is OK with small organizations. However, with large and primarily global organizations, you might have multiple IT teams located in different countries/regions. And too often, those IT teams are autonomous and operate independently of one another. For example, you might be part of a global organization with offices with significant employee presence in the USA, Canada, and the European Union. As a result, you also have a local IT Team in each country that works with the local Human Resources department and manages users, security groups, and devices specific/relevant to that country.

This is where Admin Units come in. You can create an Administrative Unit for, say, US IT and let them only access and manage US-based employees, devices, roles, and groups. Likewise, you might have an Admin Unit for Germany, where the local German-based IT Team will manage local users, groups, devices, etc. This capability will allow each country’s IT team to manage its own country’s “assets” without stepping on the toes of the IT team from another country.

How to set up Admin Units within the Microsoft Entra

Now, I will not provide the specific steps on how to create and manage Admin Units,. Microsoft did this really well already in this article. Below, I just want to show you a few screenshots of the setup within Microsoft Entra.

Below is an example of an Admin unit set up in my tenant’s Microsoft Entra. I created an imaginary Admin Unit for the Canada office and IT Administrators.