Protecting Emergency Access Accounts with Microsoft Entra ID Restricted Management Administrative Units

 

Overview

Restricted management administrative units in Microsoft Entra ID allow you to protect specific objects in your tenant from being modified by anyone except a designated set of administrators. This capability enables organizations to meet stringent security or compliance requirements without removing tenant-level role assignments from their administrators.

Benefits of Restricted Management Administrative Units

Restricted management administrative units can help manage access in your tenant for various scenarios

                                                                                        Diagram-1

Protecting C-Level Executive Accounts

To ensure Helpdesk Administrators cannot reset passwords or access BitLocker recovery keys for executive accounts, these accounts can be added to a restricted management administrative unit. A trusted group of administrators can then be explicitly enabled to perform such actions.

Compliance Controls

For scenarios where resources must be managed exclusively by administrators from specific countries or regions, restricted management administrative units provide a robust solution to enforce this requirement. Even Global Administrators are required to explicitly assign themselves a scoped role within these units, ensuring their actions are auditable. Additionally, restricted management administrative units can safeguard Break Glass accounts by preventing unauthorized modifications or accidental deletions.

Securing Sensitive Applications

Organizations managing sensitive applications with security groups can use restricted management administrative units to ensure that only designated administrators can modify group memberships, preventing tenant-scoped administrators from accessing these controls.

Important Note:

Placing objects in restricted management administrative units imposes significant restrictions on who can make changes to the objects. This could potentially disrupt existing workflows.

License Requirements

Restricted management administrative units require a Microsoft Entra ID P1 license for each administrative unit administrator. Members of the administrative unit only require Microsoft Entra ID Free licenses.

Supported Objects

Microsoft Entra Object Type	Administrative Unit	Restricted Management Administrative Unit
Users	Yes	Yes
Devices	Yes	Yes
Groups (Security)	Yes	Yes
Groups (Microsoft 365)	Yes	No
Groups (Mail-enabled Security)	Yes	No
Groups (Distribution)	Yes	No

Blocked and Allowed Operations

For administrators not explicitly assigned to a restricted management administrative unit, the following operations are affected

Operation Type	Blocked	Allowed
Read standard properties like user principal name, user photo		✓
Modify any Microsoft Entra properties of the user, group, or device	❌
Delete the user, group, or device	❌
Update password for a user	❌
Modify owners or members of the group in the restricted unit	❌
Add users, groups, or devices in a restricted unit to Microsoft Entra groups		✓
Modify email and mailbox settings in Exchange		✓
Apply policies to a device using Intune		✓
Add or remove a group as a site owner in SharePoint		✓

Object Modification: Who’s in Control?

Only administrators explicitly assigned at the restricted management administrative unit scope can modify the properties of objects within the unit. The following table highlights permissions:

User Role	Blocked	Allowed
Global Administrator	❌
Tenant-scoped administrators (including Global Administrator)	❌
Administrators assigned at the scope of the restricted management unit		✓
Administrators assigned at the scope of another restricted management unit which the object is a member		✓
Administrators assigned at the scope of a regular administrative unit which the object is a member	❌
Groups Administrator, User Administrator, and other scoped roles assigned at the scope of a resource	❌
Group or device owners	❌

Challenges and Limitations

1. The restricted management setting must be applied during the creation of the administrative unit and cannot be changed afterward.
2. Groups in restricted management administrative units cannot leverage Microsoft Entra ID Governance features like Privileged Identity Management (PIM) or entitlement management.
3. Role-assignable groups within a restricted management administrative unit cannot have their membership modified by anyone except for specific global roles.
4. Certain actions, such as password resets for Global Administrators within restricted units, may require removal from the unit for modifications to be possible.
5. Deleting a restricted management administrative unit can take up to 30 minutes to remove protections from former members.

Application Access and Permissions

Applications cannot modify objects within restricted management administrative units by default. To allow application access, you must assign a Microsoft Entra role to the application scoped to the restricted management administrative unit. Application permissions through Microsoft Graph will not apply unless explicitly granted.

Create Restricted management administrative units

As illustrated in Diagram-1, we will create three administrative units. Separate Helpdesk Administrator roles will be assigned for the US, UK with Restricted Management enabled. The UAE Administrative Unit will be created without enabling Restricted Management.

To begin, we need to create a new administrative unit. This can be done using the Microsoft Entra admin center, Microsoft Entra PowerShell, or Microsoft Graph. 

Here's how to do it via the admin center:

Sign In: Access the Microsoft Entra admin center using an account with at least Privileged Role Administrator permissions.

Navigate to Admin Units: Go to Identity > Roles & admins > Admin units.
Add a New Unit: Click on Add to create a new administrative unit.

Enter Details: Provide a name for the administrative unit in the Name field. Optionally, you can include a description to explain its purpose.

Enable Restricted Management : If you want to prevent tenant-level administrators from accessing this administrative unit, toggle Restricted management administrative unit to Yes.

Next, we will assign the Helpdesk Administrator role. The account responsible for regional Helpdesk activities will be added via the Assign roles tab. There are 16 built-in roles available, and you can also add your custom Entra ID roles as needed

Now click Review + Create.

Using the same method, I will create an Administrative Unit for the UK, enabling Restricted Management and assigning a dedicated Helpdesk Administrator user.

For the UAE region, I will create an Administrative Unit without enabling Restricted Management and assign a separate Helpdesk Administrator user account. Additionally, the Tenant Helpdesk Administrator will also manage the users within this Administrative Unit.

As observed from the above image, the Tenant Helpdesk Administrator role assignments have been added to the UAE Administrative Unit when the Helpdesk Administrator role was assigned to this unit. Since this Administrative Unit does not have Restricted Management enabled, these assignments are applied without limitations.

The following are the Administrative Units we have created for testing purposes:

Adding Users to Administrative Unit

In Microsoft Entra ID, users, groups, or devices can be added to an Administrative Unit to limit the scope of role permissions. When a group is added to an Administrative Unit, only the group itself falls within the management scope, not its members.

Users or devices can be added or removed manually. Alternatively, dynamic membership groups allow you to add or remove users or devices automatically based on defined rules.

You can manage this process through the Microsoft Entra admin center, where you can add users, groups, or devices individually, in bulk, or by creating a new group within an Administrative Unit.

For our testing, let's proceed to add users to this Administrative Unit.

I have successfully added users to the US, UK, and UAE Administrative Units.

Testing Restricted Management Admin Units

Let us now test each case separately.

Test Case 1: The Helpdesk Administrator assigned to the our US-Executive Administrative Unit try to reset the passwords of members within that Administrative Unit.

The US-Executive Accounts [Restricted management]  Administrative unit Helpdesk Administrator assignment is shown below.

The US-Executive Accounts [Restricted management] Members as follows

We have successfully reset the password of a user in the US-Executive Accounts [Restricted Management] using the Helpdesk Administrator role assigned to this Administrative Unit.

A banner is displayed on the user properties indicating: "This user is a member of a restricted management administrative unit. Management rights are limited to administrators scoped to that administrative unit."

Test Case 2: The Helpdesk Administrator assigned to the US-Executive Administrative Unit try to reset the passwords of members in the UK-Executive Administrative Unit.

The UK-Executive Accounts [Restricted management]  Administrative unit Helpdesk Administrator assignment is shown below.

The UK-Executive Accounts [Restricted management] Members as follows

We are unable to reset the password of a user in the UK-Executive Accounts [Restricted Management] using the Helpdesk Administrator role assigned to the US Administrative Unit. An error is displayed during the reset process stating: "The password cannot be reset. This may be due to insufficient administrative privileges or an attempt to reset your own password."

A banner is displayed on the user properties indicating: "This user is a member of a restricted management administrative unit. Management rights are limited to administrators scoped to that administrative unit."

Test Case 3: The Helpdesk Administrator assigned to the our US-Executive Administrative Unit try to reset the passwords of members in the UAE-Executive Administrative Unit, even though it is not configured as a Restricted Management Administrative Unit.

The UAE-Executive Accounts Administrative unit Helpdesk Administrator assignment is shown below.

The UAE-Executive Accounts Members as follows

We are unable to reset the password of a user in the UAE-Executive Accounts using the Helpdesk Administrator role assigned to the US Administrative Unit. An error is displayed during the reset process stating: "The password cannot be reset. This may be due to insufficient administrative privileges or an attempt to reset your own password."

In this case, the user does not have any assignments to this Administrative Unit and is not part of the Tenant Helpdesk Administrator role. Additionally, since this Target user is not part of a Restricted Management Administrative Unit, the corresponding banner is not displayed on the user properties.

Test Case 4: The Global Administrator of the tenant attempts to reset the password for a user in the US-Executive Accounts [Restricted Management] Administrative unit.

Entra ID Tenant Global Administrator accounts are scoped at the directory (tenant) level.

We are unable to reset the password of a user who is part of the Restricted Management Administrative Unit (in this case, the US-Executive Accounts) using the Tenant Global Administrator account, as it has not been explicitly assigned to any admin roles within that Administrative Unit.

Test Case 5: The Global Administrator of the tenant attempts to reset the password for a user in the UAE-Executive Accounts, which is not configured as a Restricted Management Administrative Unit.

The screenshot below demonstrates that we can successfully reset the password of a user in an Administrative Unit that is not configured as a Restricted Management unit, using tenant-level privileges, even if the account is not directly assigned to roles within that Administrative Unit.

Pro Tip

To protect your emergency access (Break Glass account) from accidental modification or deletion, you can leverage Restricted Management Administrative Units without assigning any roles. If modifications to the emergency access account are necessary, such as updating its properties or resetting its password, a Global Administrator or Privileged Role Administrator can temporarily remove the account from the Restricted Management Administrative Unit, make the required changes, and then reassign the account to the same Administrative Unit. All these actions can be closely monitored and audited for transparency and compliance.

The image below illustrates the protection of the Emergency Access account using a Restricted Management Administrative Unit.

The image below shows an attempt to delete the Emergency Access account, which is protected by a Restricted Management Administrative Unit, using the Tenant Global Administrator.

The image below demonstrates that the account's edit properties are restricted, as it is protected by a Restricted Management Administrative Unit, even when accessed by the Tenant Global Administrator.

Conclusion

Restricted Management Administrative Units in Microsoft Entra ID are an effective way to secure and manage critical resources within an organization. By restricting administrative access to specific objects and assigning roles with clearly defined scopes, they help protect sensitive accounts, ensure compliance, and prevent unauthorized or accidental changes.

This feature is particularly valuable for protecting executive accounts, emergency access accounts, or implementing region-specific controls. By using Restricted Management Administrative Units, organizations can maintain strict control over who can manage their most important resources, providing both security and accountability.

Incorporating these units into your identity management practices ensures a more secure and well-structured environment, giving you the confidence that your critical resources are in trusted hands.