When migrating from Active Directory to Azure Active Directory you move an essentially from a tree based structure where you might have multiple domains, forest and a large OU structure to more a flat tenant structure within Azure Active Directory. This means that a lot of the management capabilities needs to change on how you delegate access to certain parts of your Azure Active Directory tenant.
If you have a organisational structure where you have either contry specific IT-operations or based into different departments you might need to delegate certain user administration tasks such as password reset or update certain user details trough Azure AD, but still not want to delegate access directly on a tenant structure.
This is where Administrative Units (AU) comes in. This allows you to have a virtual container (As with OU’s in Active Directory) membership based upon users and groups (not machines like in Active Directory) and then delegate access on a AU level
The use of administrative units requires an Azure Active Directory Premium license for each administrative unit admin, and Azure Active Directory Free licenses for administrative unit members. Administrative Units can be created directly in the azure Portal, when creating an AU you define who should have access to this AU and also what kind of permissions that user should have.
The following security principals can be assigned to a role with an administrative unit scope:
- Role assignable cloud groups (preview)
- Service Principal Name (SPN)
Once a AU is created you can add users or groups to it.
So from an AU perspective you can do user and group management
For those that have been assigned access to a Administrative Unit also can use the MyStaff feature as part of Office 365. For instance you can reset user password directly from (https://mystaff.microsoft.com/)
Here you can reset passord or add phone numbers to allow for authentication. So this is one way that you can use AU and MyStaff to delegate user administration across your Azure AD tenant.