Skip to main content
< All Articles

Admin Units in Microsoft Entra and Microsoft Purview

Posted on August 8, 2024
Microsoft 365

Today, I want to introduce you to something rather technical but important to understand. What I am talking about is the Admin Units feature available within Microsoft Entra (formerly known as Azure Active Directory). I specifically want to mention Admin Units because they play an essential role in Microsoft Purview when setting up Retention Policies.

Now, I want to clarify that this will not be a technical or thorough article about Admin Units and how to set them up. My expertise is in SharePoint, not Microsoft Entra. Microsoft has published some fantastic guides about this feature, which I will reference in this post. However, you need to understand how it works and how it might help your organization. Let’s proceed.

What is Microsoft Entra ID?

Microsoft Entra is a tool that is an integral part of Microsoft 365 that manages the technical side of things within Microsoft 365. This is where your IT Team manages the following aspects:

  • Users/Roles
  • Security Groups and Distribution Lists
  • Devices and various policies
  • Authentication methods
  • And many, many other aspects

Microsoft Entra is primarily used and accessible by your IT Team or IT/MSP Provider. By the way, it was called Azure AD up until recently; Microsoft Entra ID is just a new name.

Adminunitspurview7

At a fundamental level, say you hired a new employee. The first thing done by the IT –  they set up that user within Microsoft Entra and assign various roles/security groups that control access of that user to various SharePoint sites, applications, servers, and devices. All the basic information about the user (name, roles, title, location) is controlled within Entra and is utilized by other applications within Microsoft 365 (i.e., SharePoint).

What are Admin Units?

This brings us to the Admin Units. Until recently, it was all or nothing regarding access and management within Microsoft Entra. And that is OK with small organizations. However, with large and primarily global organizations, you might have multiple IT teams located in different countries/regions. And too often, those IT teams are autonomous and operate independently of one another. For example, you might be part of a global organization with offices with significant employee presence in the USA, Canada, and the European Union. As a result, you also have a local IT Team in each country that works with the local Human Resources department and manages users, security groups, and devices specific/relevant to that country.

This is where Admin Units come in. You can create an Administrative Unit for, say, US IT and let them only access and manage US-based employees, devices, roles, and groups. Likewise, you might have an Admin Unit for Germany, where the local German-based IT Team will manage local users, groups, devices, etc. This capability will allow each country’s IT team to manage its own country’s “assets” without stepping on the toes of the IT team from another country.

How to set up Admin Units within the Microsoft Entra

Now, I will not provide the specific steps on how to create and manage Admin Units,. Microsoft did this really well already in this article. Below, I just want to show you a few screenshots of the setup within Microsoft Entra.

Below is an example of an Admin unit set up in my tenant’s Microsoft Entra. I created an imaginary Admin Unit for the Canada office and IT Administrators.

Admin Units in Microsoft Entra and Microsoft Purview

A given Admin Unit is associated with certain users and groups. For this example, I associated it with two Microsoft 365 Groups (Finance and HR) based in Canada.

Admin Units in Microsoft Entra and Microsoft Purview

Admin Units in Microsoft Purview

This brings us to Admin Units in Microsoft Purview. You probably noticed that when you create a Retention Policy, it prompts you to select Admin Units.

Admin Units in Microsoft Entra and Microsoft Purview

Adminunitspurview4

The above step limits the selection of sites to which the retention policy is applied to those associated with a given Admin Unit.

Admin Units in Microsoft Entra and Microsoft Purview

As you can see in the image below, instead of hundreds of Micorosft 365 Groups available in the tenant, it only displays the two groups I associated above to the given Admin Unit.

Admin Units in Microsoft Entra and Microsoft Purview

So, to summarize, Admin Units provide a powerful scoping mechanism that allows large organizations to organize and manage certain administrative/support functions based on geographic presence and organizational chart. Most organizations might not even utilize this feature. But at least now, when you see the word “Admin Units” in Purview – you know what they are and what they do.

About Me

I’m Greg Zelfond, a U.S. based SharePoint consultant, and I provide affordable out-of-the-box SharePoint consulting, training, and configuration assistance to small and medium-sized businesses all over the world.

Need help?