Using Azure AD Administrative Units to Scope Compliance Administrator Responsibilities
In a development designed to give complex organizations extra flexibility in managing Purview solutions, Azure AD administrative units can now be used to assign segregated responsibility for policy management. This feature is available in information protection and data loss prevention, and now (Microsoft 365 message center notification MC541152 (13 Apr 2023, Microsoft 365 roadmap item 117354) data lifecycle management (retention and label policies). The functionality is in preview and is expected to roll out in June 2023. For now, the functionality is only available in commercial tenants.
Limiting Scope for Administrators
Microsoft Purview uses administrative role groups to define what the members of each group can do. Each role group has a set of one or more roles to break down the scope of what an administrator can do into smaller tasks. For instance, the compliance administrator role group includes roles like “compliance search” (needed to run eDiscovery searches) and “retention management” (needed to work with retention labels and policies).
The default situation for a Microsoft 365 tenant is that compliance role groups have an organization-wide scope. In other words, once someone is in a role group, they can use the roles assigned to the group to perform administrative operations across the entire organization. This approach works well for small to medium organizations. It becomes less satisfactory as the size and complexity of organizations grow. For instance, a company might have IT administrators based in separate countries or assigned to handle work for different departments or operating units. In these situations, it might not be appropriate to have an administrator whose primary focus is dealing with French operations handle retention policies for German accounts.
Administrators and Administrative Units
Azure AD Administrative units allow an organization to logically organize directory objects into smaller units for management purposes. User accounts can be in multiple administrative units. For example, a user account could be in an administrative unit for their department and another for their country.
It’s very easy to create an administrative unit and add user accounts to it manually. It’s even easier and more powerful to use dynamic administrative units where Azure AD maintains the membership of the administrative unit based on object properties. And once you set up and populate the administrative units, you can assign them to members of Purview compliance role groups. In Figure 1, two members of the role group can work across the organization while the other three are limited to one or more administrative units.
Figure 1: Assigning members of a compliance role group to Azure AD administrative units
Azure AD Administrative Units and Adaptive Scopes
Data lifecycle management already has adaptive scopes, introduced in late 2021. Adaptive scopes allow organizations to target specific users, groups, and sites based on certain properties like a user’s country or department. It seems like an overlap might exist here but that’s not the case. Administrative units are all about limiting what an administrator can do when managing policies. Adaptive scopes are all about limiting the scope of processing when background jobs come to process the policies.
Looking back to Figure 1, Jessica Chen is an administrator whose limit is defined by the United States administrative unit. Any retention policy created by Jessica can only apply to accounts within that administrative unit. Figure 2 shows how to scope a retention policy to an administrative unit.
Figure 2: Adding an administrative unit to a retention policy
By contrast, my account is scoped for the organization, meaning that the policies I work with apply to everyone in the organization. Remember, an account can come within the scope of multiple retention policies, including Exchange Online mailbox retention polices and individual items can have retention labels. The background jobs which apply policies follow principles of retention to decide how to resolve the retention requirements for items.
Behind the scenes, the introduction of administrative units into the mix means that the background jobs (like the Exchange Managed Folder Assistant and the Retention assistant) make sure that a policy scoped to administrative units is not applied to accounts that are not in those administrative units.
One way of thinking about this is that all data lifecycle management use adaptive scopes and that the background jobs enforce the scopes when they run. In terms of flexibility, scoping runs from least adaptive to most adaptive:
Organization-wide with static locations (the default, available in Office 365 E3)..
Organization-wide with adaptive locations (requires Office 365 E5).
Administrative-unit with static locations.
Administrative unit with adaptive locations.
Policies that use administrative units only process locations (like a mailbox) belonging to the administrative unit even if administrators add other locations to the policy.
Support in Other Purview Solutions
Administrative unit support is available in the following Microsoft Purview solutions:
Data Loss Prevention (DLP): Management of DLP policies, including restricting the visibility of DLP alerts to administrators.
Information Protection: Management of sensitivity label publishing policies. This includes the ability to see label actions in the Activity Explorer.
Licensing
To use administrative units, you need Azure AD Premium P1 licenses for every account in an administrative unit. Given that Enterprise Mobility and Security (EMS) now has 250 million users, the large enterprises likely to want to use administrative units have these licenses.
To assign administrative units to Purview administrators, you need (Microsoft 365 E5/A5, Microsoft 365 E5/A5/F5 Compliance and F5 Security & Compliance, or Microsoft 365 E5/A5/F5 Information Protection & Governance) licenses for each administrator. This requirement is as surprise as usually Office 365 E5 is sufficient to cover advanced functionality.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}