What you can do with restricted management administrative units
With restricted management administrative units, you can now designate specific users, security groups, or devices in your Microsoft Entra ID tenant that you want to protect from modification by tenant-level administrators.
Here are some situations in which this is useful:
- You want to protect sensitive user accounts, such as C-level executives, from being able to have their password or multifactor authentication settings changed by regular helpdesk administrators.
- You want to ensure that certain user accounts, security groups, or devices from a specific country can only be modified by designated administrators from that country.
- You have specific security groups granting access to sensitive data and you want to restrict who can modify the membership only to a small set of administrators.
By placing your sensitive objects in a restricted management administrative unit, your tenant-level administrators will not be able to modify them. Only the administrators you explicitly assign to the scope of the administrative unit itself will be able to make changes.
Tenant-scoped and other admin unit-scoped administrators are blocked from resetting executives' account passwords. Only the explicitly designated Executive admin can manage these accounts.
This is a much easier way to protect your sensitive objects than having to identify and scope every single role assignment in the tenant just to your non-sensitive objects.
How to use restricted management administrative units in your tenant
Here's a quick example of how restricted management administrative units make it a breeze to secure a few sensitive user accounts in your tenant:
1. Under , select Admin units and click Add to create a new administrative unit.
2. Set the Restricted management administrative unit setting to “Yes” and click Next: Assign Roles
3. Add the designated administrator(s) who should be the helpdesk administrators for these sensitive accounts (these are the people who you do want to manage the accounts) and finish creating the administrative unit.
4. Now, you can go ahead and add the sensitive user accounts to the restricted management administrative unit you just created (just like you would for any other administrative unit).
That's it! Now the sensitive user accounts can only be modified by the users you designated, regardless of how many other administrative roles may be assigned in your tenant.
To learn more details about how restricted management administrative units can help you secure sensitive resources in your tenant, check out our product documentation!
Partner Manager, Product Management
Microsoft Identity Division
Learn more about Microsoft identity: