Entra ID Administrative Units and Microsoft Purview Data Lifecycle Management

Use Entra ID Administrative Units to Scope Compliance Administrator Responsibilities

In a development designed to give complex organizations extra flexibility in managing Purview solutions, Entra ID (Azure AD) administrative units can now be used to assign segregated responsibility for policy management. This feature is available in information protection and data loss prevention, and now (Microsoft 365 message center notification MC541152 (13 Apr 2023, Microsoft 365 roadmap item 117354) data lifecycle management (retention and label policies). The functionality is in preview and is expected to roll out in June 2023. For now, the functionality is only available in commercial tenants.

Limiting Scope for Administrators

Microsoft Purview uses administrative role groups to define what the members of each group can do. Each role group has a set of one or more roles to break down the scope of what an administrator can do into smaller tasks. For instance, the compliance administrator role group includes roles like “compliance search” (needed to run eDiscovery searches) and “retention management” (needed to work with retention labels and policies).

The default situation for a Microsoft 365 tenant is that compliance role groups have an organization-wide scope. In other words, once someone is in a role group, they can use the roles assigned to the group to perform administrative operations across the entire organization. This approach works well for small to medium organizations. It becomes less satisfactory as the size and complexity of organizations grow. For instance, a company might have IT administrators based in separate countries or assigned to handle work for different departments or operating units. In these situations, it might not be appropriate to have an administrator whose primary focus is dealing with French operations handle retention policies for German accounts.

Administrators and Entra ID Administrative Units

Administrative units allow an organization to logically organize directory objects into smaller units for management purposes. User accounts can be in multiple administrative units. For example, a user account could be in an administrative unit for their department and another for their country.

It’s very easy to create an administrative unit and add user accounts to it manually. It’s even easier and more powerful to use dynamic administrative units where Entra ID maintains the membership of the administrative unit based on object properties. And once you set up and populate the administrative units, you can assign them to members of Purview compliance role groups. In Figure 1, two members of the role group can work across the organization while the other three are limited to one or more administrative units.

 Assigning members of a compliance role group to Entra ID administrative units
Figure 1: Assigning members of a compliance role group to Entra ID administrative units

Entra ID Administrative Units and Adaptive Scopes

Data lifecycle management already has adaptive scopes, introduced in late 2021. Adaptive scopes allow organizations to target specific users, groups, and sites based on certain properties like a user’s country or department. It seems like an overlap might exist here but that’s not the case. Administrative units are all about limiting what an administrator can do when managing policies. Adaptive scopes are all about limiting the scope of processing when background jobs come to process the policies.

Looking back to Figure 1, Jessica Chen is an administrator whose limit is defined by the United States administrative unit. Any retention policy created by Jessica can only apply to accounts within that administrative unit. Figure 2 shows how to scope a retention policy to an administrative unit.

Figure 2: Adding an administrative unit to a retention policy

By contrast, my account is scoped for the organization, meaning that the policies I work with apply to everyone in the organization. Remember, an account can come within the scope of multiple retention policies, including Exchange Online mailbox retention polices and individual items can have retention labels. The background jobs which apply policies follow principles of retention to decide how to resolve the retention requirements for items.

Behind the scenes, the introduction of administrative units into the mix means that the background jobs (like the Exchange Managed Folder Assistant and the Retention assistant) make sure that a policy scoped to administrative units is not applied to accounts that are not in those administrative units.

One way of thinking about this is that all data lifecycle management use adaptive scopes and that the background jobs enforce the scopes when they run. In terms of flexibility, scoping runs from least adaptive to most adaptive:

  • Organization-wide with static locations (the default, available in Office 365 E3)..
  • Organization-wide with adaptive locations (requires Office 365 E5).
  • Administrative-unit with static locations.
  • Administrative unit with adaptive locations.

Policies that use administrative units only process locations (like a mailbox) belonging to the administrative unit even if administrators add other locations to the policy.

Support for Entra ID Administrative Units in Other Purview Solutions

Administrative unit support is available in the following Microsoft Purview solutions:

  • Data Loss Prevention (DLP): Management of DLP policies, including restricting the visibility of DLP alerts to administrators.
  • Information Protection: Management of sensitivity label publishing policies. This includes the ability to see label actions in the Activity Explorer.


To use administrative units, you need Entra ID Premium P1 licenses for every account in an administrative unit. Given that Enterprise Mobility and Security (EMS) now has 250 million users, the large enterprises likely to want to use administrative units have these licenses.

To assign administrative units to Purview administrators, you need (Microsoft 365 E5/A5, Microsoft 365 E5/A5/F5 Compliance and F5 Security & Compliance, or Microsoft 365 E5/A5/F5 Information Protection & Governance) licenses for each administrator. This requirement is as surprise as usually Office 365 E5 is sufficient to cover advanced functionality.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.