In the following example, an administrative unit called California (used to hold users in that region) is created. During the creation, administrators are configured to perform role-scoped activities inside that administrative unit:
- Navigate to the Microsoft 365 admin center (https://admin.microsoft.com) and log in with Global Administrator credentials.
2. Expand Roles | Role assignments and click Administrative units.
Figure 3.14 – Administrative units page
3. Click Add unit.
4. On the Basics page, as shown in Figure 3.15, enter a name and description and click Next.
Figure 3.15 – Basics page
5. On the Optional settings | Add members page, as shown in Figure 3.16, you can add members to the administrative unit or click Next to proceed.
Figure 3.16 – Add members page
6. On the Assign admins to scoped roles page, as shown in Figure 3.17, review the roles listed. Not all roles can be scoped to administrative units (as it’s a relatively new feature and not all roles support it). In this example, select the checkbox next to User Administrator and then click the role name itself.
Figure 3.17 – Adding roles
7. On the User Administrator flyout, click the Assigned tab as shown in Figure 3.18:
Figure 3.18 – User Administrator flyout
8. Click Add users or Add groups to assign administrators to this role. Click Close when you’ve finished.
Figure 3.19 – Adding users to role
9. On the Assign admins to scoped roles page, click Next.
10. On the Review and finish page, review your selections, make any changes, and then click Add.
11. Click Done to return to the Administrative units page.
One of the features of role-scoped administration is being able to limit what users or objects can be impacted by a particular administrator. As you noticed during the configuration, only a subset of the roles available in the tenant honor administrative unit scoping.