Teams Real Simple with Pictures: Using Restricted Management Administrative Units in Microsoft Entra ID

This blog is part of a series on Teams. For more articles, check back often

Written: 16/07/2023 | Updated: N/A

This week I’ve been asked what I think about the rebranding of Azure AD to Microsoft Entra ID. Is it something which I would consider significant? Is it something I think occurred because, for example, some marketers in Redmond have nothing better to do? Let’s consider that a moment. In recent years, Microsoft has executed multiple large-scale rebrands. Office 365 to Microsoft 365. Azure to Microsoft Azure. The Security stack aligned under Defender, whilst Compliance is amalgamated under Purview. So my thinking goes that the rebranding of Azure AD was only ever a matter of time; that it was only ever going to go one way given how Microsoft Entra became the brand for Microsoft’s Identity services. If one thing, all these cases illustrate that Microsoft is not beholden to names or brands whether these are historical or popular, or where they’ve become embedded in the day-to-day language of the very organisations and communities that use them. And this was demonstrated again last week – with not so much fanfare – when they also announced that it was ditching it’s default Calibri font in favour of the newly developed Aptos. But then Microsoft is a technology business after all. It’s mantra is that change and innovation is constant. This leads onto point two. There are things that drive change and innovations other than technology. We as technologists can lose sight that Microsoft is first and foremost – when everything is stripped away – a sales-led techonology business. Sometimes we don’t perceive or appreciate the value of changing it up, because it’s not our role to give these products fresh impetus, or drive astronomical numbers in a given area, or reduce a products value and everything it does to a singlular name. I think the rebrand makes absolute sense given Microsoft’s plans are for Security, Compliance and Identity. Consistency across the range. An easier conversation for commercial. A broader and more robust terminology which allows the addition of more products such as what we saw given the Security Service Edge (SSE). It may just be me but it feels more unified yet clear cut and distinct from other parts. I also think it’s a savvy move to take Azure – the platform – out the name. But don’t get me wrong here. Many of us are going to have to swallow pain, especially we who create or maintain content or teach. And yes – it’s sad too in that it feels like an instituion is ending. But let’s look forward with gusto. It’s not the last one of these we’ll be doing. Change is constant. This blog is on the new Restricted Management Administrative Units capability now in preview in Microsoft Entra ID. You can now designate specific users, security groups, or devices in your Microsoft Entra ID tenant that you want to protect from modification by tenant-level administrators. Obviously this has benefits in certain scenarios – typically larger orgs, where administration is based on geos. And we need to understand that at this preview stage this is based on Microsoft Entra ID actions such as modifying users and licences, not management of the services themselves. In Teams world, I am going to apply a use case of managing users with Teams Premium Licencing

Let’s go.

This blog will cover

• Configuring Restricted Management Administrative Units
• How do we know it worked?
• FAQ

Note this blog will have abridged steps which will assume some experience with Microsoft Entra ID. All blogs will use the new Teams Desktop Client 2.1+ where possible and applicable.

Prerequisites

• Microsoft Entra Plan 1 Licence for the Restricted Management Administrative Unit Administrator
• Microsoft Entra Free for all Administrative Unit members
• Global Administrator for setup, or role which permits the addition of Administrative Units
• This functionality is in preview at the time of writing and is liable to change

CONFIGURING RESTRICTED MANAGEMENT ADMINISTRATIVE UNITS
In this scenario the organisation has several administrators. It is required that 5 members of staff who have been assigned the Teams Premium Licence should never have that licence removed by any administrator other than Megan Bowen. Megan Bowen, the Teams Administrator for the organisation will be the only one who will control their licencing through a Restricted Management Administrative Unit

1.) Login as a Global Admin (or an admin with a Microsoft Entra ID role with the ability to manage Administrative Units) to https://login.microsoftonline.com and from the left navigation or the waffle select Admin

2.) In the left navigation of the Microsoft 365 Portal select Billing then Licences. Select the Microsoft Teams Premium Licence to grab a list of the 5 users using the SKU. In this example, there is Adele, Alex, Allan, Debra and Diego. Alternatively, this can be done through the Billing section of Microsoft Entra ID itself.

3.) From the left navigation select Identity

4.) In the Microsoft Entra Admin Centre select Roles & admins and then Admin Units

5.) Select Add

6.) Under Properties give the Administrative Unit a Name and Description (here called RMAU_Teams Premium Users) and ensure that Restricted Management Administrative Unit is set to Yes. Then select the tab Assign Roles

7.) There are many Microsoft Entra ID roles which can be assigned to an administrative unit depending on the scenario it intends to solve. Since the requirement is to ensure that only Megan Bowen will be the only one in the organisation to manage the Teams Premium licencing for those specific Teams users, this example selects the Licence Administrator Microsoft Entra ID role and sets Megan Bowen to have that role.

8.) Review the restricted management administrative unit, then select Create

9.) Now select the created Restricted Management Administrative Unit

10.) Select Add Member

13.) Add all the members with Teams Premium licences and then select the button Select

14.) The users have now been added to the Restricted Management Administrative Unit

Our job here is done. A Restricted Management Administrative Unit has been set up and ensures that Megan Bowen is the only administrator who can make licencing changes to those who currently have Teams Premium Licences, even when other administrators have Microsoft Entra ID roles such as Licence Administrator or Global Administrator.

HOW DO WE KNOW IT WORKED
As a user with the Global Administrator role, I try to remove the Teams Premium Licence from one of the users in the Restricted Management Administrative Unit. I cannot do this through the Microsoft 365 Admin Portal

In Microsoft Entra ID, I cannot remove the licence either, nor in PowerShell

Only Megan Bowen has the capability to remove licences from the users of the Restricted Management Administrative Unit at this point.

FAQ

Q. Is this a realistic scenario to use RMAU’s in terms of licencing?
A. I have been asked previously for functionality such as this in the area of licencing, but in real life RMAU’s would typically be used more for actions such as password resets or modification of Microsoft Entra ID information for sensitive/VIP users. This licencing example has served us well to demonstrate how RMAU’s can be configured and used, as well as how it could be used in the context of Teams

Q. What happened if Megan Bowen in that scenario left the business? Are those users then prevented from licence modification?
A. No, the Global Administrator could simply remove the Restricted Management Administrative Unit from Microsoft Entra ID and recreate it adding another AU administrator to replace Megan Bowen. Whilst this posits that a global admin could ultimately backdoor a change should they need, per Microsoft documentation these changes would be auditable

Q. Are Groups supported?
A. At the time of writing documentation points to supporting Security Groups, but not Microsoft 365 Groups or Distribution Lists. This would be neccessary in organisations with large numbers of users.

Q. Do RMAU’s prevent modification of services, such as the Teams Admin Centre?
A. No, at the current time RMAU’s as defined by the documentation block only operations that directly modify the Microsoft Entra ID properties, whereas operations on related objects in Microsoft 365 services aren’t affected. In other words, RMAU’s can’t be used with the Teams Admin Centre, nor the Exchange Admin Centre today. There is nothing to state whether this wolud change in the future or what timescale that is

Q. Where can I find out more on Restricted Management Administrative Units?
A. https://learn.microsoft.com/en-gb/azure/active-directory/roles/admin-units-restricted-management