Merge pull request #106833 from curtand/anand0305

[Azure AD roles] use admin units for role scope

Author: v-albemi

articles/active-directory/users-groups-roles/TOC.yml

@@ -149,6 +149,7 @@
     - name: Service plan IDs for licensing
       href: licensing-service-plan-reference.md
   - name: Azure AD administrator roles    
+    expanded: true
     items: 
     - name: Roles and permissions
       href: directory-assign-admin-roles.md
@@ -180,6 +181,20 @@
         href: directory-admin-roles-secure.md  
       - name: Create emergency accounts    
         href: directory-emergency-access.md
+    - name: Administrative units preview
+      items:
+      - name: Administrative units overview  
+        href: directory-administrative-units.md
+      - name: Add & manage AUs
+        href: roles-admin-units-manage.md
+      - name: Add & manage users in AUs
+        href: roles-admin-units-add-manage-users.md
+      - name: Add & manage groups in AUs
+        href: roles-admin-units-add-manage-groups.md
+      - name: Assign a role with AU scope
+        href: roles-admin-units-assign-roles.md
+      - name: FAQ and troubleshooting
+        href: roles-admin-units-faq-troubleshoot.md
   - name: Manage sign-in
     items:    
     - name: Customize company branding    
@@ -211,4 +226,4 @@
   - name:  Azure AD PowerShell for Graph
     href: https://docs.microsoft.com/powershell/azure/active-directory/install-adv2?view=azureadps-2.0
   - name: Azure AD service limits
-    href: directory-service-limits-restrictions.md
+    href: directory-service-limits-restrictions.md

articles/active-directory/users-groups-roles/directory-administrative-units.md

@@ -9,32 +9,95 @@ ms.service: active-directory
 ms.topic: article
 ms.subservice: users-groups-roles
 ms.workload: identity
-ms.date: 11/13/2019
+ms.date: 04/16/2020
 ms.author: curtand
 ms.reviewer: elkuzmen
 ms.custom: oldportal;it-pro;
 ms.collection: M365-identity-device-management
 ---
 # Administrative units management in Azure Active Directory (preview)
 
-This article describes administrative units in Azure Active Directory (Azure AD). An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. In this preview release, these resources can be only users. For example, an administrative unit-scoped User account admin can update profile information, reset passwords, and assign licenses for users only in their administrative unit.
+This article describes administrative units in Azure Active Directory (Azure AD). An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. In this preview release, an administrative unit can contain only users and groups.
 
-You can use administrative units to delegate administrative permissions over subsets of users and applying policies to a subset of users. You can use administrative units to delegate permissions to regional administrators or to set policy at a granular level.
+Administrative units allow you to grant admin permissions that are restricted to a department, region, or other segment of your organization that you define. You can use administrative units to delegate permissions to regional administrators or to set policy at a granular level. For example, a User account admin could update profile information, reset passwords, and assign licenses for users only in their administrative unit.
+
+ For example, delegating to regional support specialists the [Helpdesk Administrator](directory-assign-admin-roles.md#helpdesk-administrator) role restricted to managing just the users in the region they support.
 
 ## Deployment scenario
 
-Administrative units can be useful in organizations with independent divisions. Consider the example of a large university that is made up of many autonomous schools (School of Business, School of Engineering, and so on) that each has their own IT administrators who control access, manage users, and set policies for their school. A central administrator could create an administrative unit for the School of Business and populate it with only the business school students and staff. Then the central administrator can add the Business school IT staff to a scoped role that grants administrative permissions over only Azure AD users in the business school administrative unit.
+Restricting administrative scope using administrative units can be useful in organizations that are made up of independent divisions of any kind. Consider the example of a large university that is made up of many autonomous schools (School of Business, School of Engineering, and so on) that each has a team of IT admins who control access, manage users, and set policies for their school. A central administrator could:
+
+- Create a role with administrative permissions over only Azure AD users in the business school administrative unit
+- Create an administrative unit for the School of Business
+- Populate the admin unit with only the business school students and staff
+- Add the Business school IT team to the role with their scope
 
 ## License requirements
 
-To use administrative units requires an Azure Active Directory Premium license for each administrative unit admin. For more information, see [Getting started with Azure AD Premium](../fundamentals/active-directory-get-started-premium.md).
+Using administrative units requires an Azure Active Directory Premium license for each administrative unit admin, and Azure Active Directory Free licenses for administrative unit members. For more information, see [Getting started with Azure AD Premium](../fundamentals/active-directory-get-started-premium.md).
+
+## Manage administrative units
+
+In this preview release, you can manage administrative units using the Azure portal, PowerShell cmdlets and scripts, or the Microsoft Graph. You can refer to our documentation for details:
+
+- [Create, remove, populate, and add roles to administrative units](roles-admin-units-manage.md): Complete how-to procedures
+- [Working with Admin Units](https://docs.microsoft.com/powershell/azure/active-directory/working-with-administrative-units?view=azureadps-2.0): How to work with administrative units using PowerShell
+- [Administrative Unit Graph support](https://docs.microsoft.com/graph/api/resources/administrativeunit?view=graph-rest-beta): Detailed documentation on Microsoft Graph for administrative units.
+
+### Planning your administrative units
+
+Administrative units can be used to logically group Azure AD resources. For example, for an organization whose IT department is scattered globally, it might make sense to create administrative units that define those geographical boundaries. In another scenario where a multi-national organization has different "sub-organizations", that are semi-autonomous in operations, each sub-organization may be represented by an administrative unit.
+
+The criteria on which administrative units are created will be guided by the unique requirements of an organization. Administrative Units are a common way to define structure across M365 services. We recommend that you prepare your administrative units with their use across M365 services in mind. You can get maximum value out of administrative units when you can associate common resources across M365 under an administrative unit.
+
+You can expect the creation of administrative units in the organization to go through the following stages:
+
+1. Initial Adoption: Your organization will start creating administrative units based on initial criteria and the number of administrative units will increase as the criteria is refined.
+1. Pruning: Once the criteria is well defined, administrative units that are no longer required will be deleted.
+1. Stabilization: Your organizational structure is well defined and the number of administrative units is not going to change significantly over short durations.
+
+## Currently supported scenarios
+
+Global administrators or Privileged role administrators can use the Azure AD portal to create administrative units, add users as members of administrative units, and then assign IT staff to administrative unit-scoped administrator roles. The administrative unit-scoped admins can then use the Office 365 portal for basic management of users in their administrative units.
+
+Additionally, groups can be added as members of administrative unit, and an admin unit-scoped group administrator can manage them using PowerShell, the Microsoft Graph, and the Azure AD portal.
+
+The below table describes current support for administrative unit scenarios.
+
+### Administrative unit management
+
+Permissions |   MS Graph/PowerShell   | Azure AD portal | Microsoft 365 admin center
+----------- | ----------------------- | --------------- | -----------------
+Creating and deleting administrative units   |    Supported    |   Supported   |    Not supported
+Adding and removing administrative unit members individually    |   Supported    |   Supported   |    Not supported
+Bulk adding and removing administrative unit members using .csv file   |    Not supported     |  Supported   |    No plan to support
+Assigning administrative unit-scoped administrators  |     Supported    |   Supported    |   Not supported
+Adding and removing AU members dynamically based on attributes | Not supported | Not supported | Not supported
+
+### User management
+
+Permissions |   MS Graph/PowerShell   | Azure AD portal | Microsoft 365 admin center
+----------- | ----------------------- | --------------- | -----------------
+administrative unit-scoped management of user properties, passwords, licenses   |    Supported     |  Supported   |   Supported
+administrative unit-scoped blocking and unblocking of user sign-ins    |   Supported   |    Supported   |    Supported
+administrative unit-scoped management of user MFA credentials   |    Supported   |   Supported   |   Not supported
+
+### Group management
 
-## Managing administrative units
+Permissions |   MS Graph/PowerShell   | Azure AD portal | Microsoft 365 admin center
+----------- | ----------------------- | --------------- | -----------------
+administrative unit-scoped management of group properties and members     |  Supported   |    Supported    |  Not supported
+administrative unit-scoped management of group licensing   |    Supported  |    Supported   |   Not supported
 
-In this preview release, the only way you can create and manage administrative units is to use the Azure Active Directory Module for Windows PowerShell cmdlets as described in [Working with Administrative Units](https://docs.microsoft.com/powershell/azure/active-directory/working-with-administrative-units?view=azureadps-2.0)
+> [!NOTE]
+>
+> Administrators with an administrative unit scope can't manage dynamic group membership rules.
 
-For more information on software requirements and installing the Azure AD module, and for reference information on the Azure AD Module cmdlets for managing administrative units, including syntax, parameter descriptions, and examples, see [Azure Active Directory PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/overview?view=azureadps-2.0).
+Administrative units apply scope only to management permissions. They don't prevent members or administrators from using their [default user permissions](../fundamentals/users-default-permissions.md) to browse other users, groups, or resources outside of the administrative unit. In the Office 365 portal, users outside of a scoped admin's administrative units are filtered out, but you can browse other users in the Azure AD portal, PowerShell, and other Microsoft services.
 
 ## Next steps
 
-[Azure Active Directory editions](../fundamentals/active-directory-whatis.md)
+- [Managing AUs](roles-admin-units-manage.md)
+- [Manage users in AUs](roles-admin-units-add-manage-users.md)
+- [Manage groups in AUs](roles-admin-units-add-manage-groups.md)
+- [Assign scoped roles to an AU](roles-admin-units-assign-roles.md)

articles/active-directory/users-groups-roles/directory-assign-admin-roles.md

@@ -18,7 +18,7 @@ ms.collection: M365-identity-device-management
 
 # Administrator role permissions in Azure Active Directory
 
-Using Azure Active Directory (Azure AD), you can designate limited administrators to manage identity tasks in less-privileged roles. Administrators can be assigned for such purposes as adding or changing users, assigning administrative roles, resetting user passwords, managing user licenses, and managing domain names. The default user permissions can be changed only in user settings in Azure AD.
+Using Azure Active Directory (Azure AD), you can designate limited administrators to manage identity tasks in less-privileged roles. Administrators can be assigned for such purposes as adding or changing users, assigning administrative roles, resetting user passwords, managing user licenses, and managing domain names. The [default user permissions](../fundamentals/users-default-permissions.md) can be changed only in user settings in Azure AD.
 
 ## Limit use of Global administrator
 
@@ -1331,6 +1331,7 @@ Can manage Office apps' cloud services, including policy and settings management
 | microsoft.office365.messageCenter/messages/read | Read messages in microsoft.office365.messageCenter. |
 | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Office 365 Service Health. |
 | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. |
+| microsoft.office365.usageReports/allEntities/read | Read Office 365 usage reports. |
 | microsoft.office365.userCommunication/allEntities/allTasks | Read and update What's New messages visibility. |
 | microsoft.office365.webPortal/allEntities/basic/read | Read basic properties on all resources in microsoft.office365.webPortal. |