1
votes

I have created some limited administrators in my Azure Active Directory. These should only be able to manage certain users. For this I added the users that should be managed to an administative unit and gave the administrators the "User Adminsitrator" role for the administrative unit. They can now edit/ manage all aspects of the users as intended. However, they cannot delete the users.

This should be possible. Here is the description of the user administrator role from Microsoft:

"Users with this role can create and manage all aspects of users and groups. Additionally, this role includes the ability to manage support tickets and monitors service health. Some restrictions apply. For example, this role does not allow deleting a global administrator. User account administrators can change passwords for users, helpdesk administrators, and other user account administrators only".

The users in the administrative unit are of course not administrators.

If I assign the administrators the "user administrator" role for the whole AAD tenant, then they can delete users.

Here Microsoft also clearly describes that with this role you should have the right to delete users: https://docs.microsoft.com/de-de/azure/active-directory/roles/permissions-reference#user-administrator

Does anyone understand why this role does not work properly anymore if you assign it to an administrative unit?

Thanks in advance

2
If the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions. See: meta.stackexchange.com/questions/5234/…Carl Zhao
Hi, did this solve your problem?Carl Zhao

2 Answers

1
votes

The user administrator in a Administrative unit can manage all aspects of users and groups, and of course it also includes removing users from the Administrative unit.

enter image description here

However, it cannot delete the user within the scope of the tenant, because the user is created within the scope of the tenant, but the scope of the granted user administrator is limited to one or more Administrative units.

In addition, you only added the user in the Administrative unit instead of creating the user in the Administrative unit, so you definitely cannot delete the user in the tenant scope. Therefore, if you want to delete the user in the tenant scope, you can only grant the user the user administrator role within the tenant scope.

0
votes

You have to be a Privileged Role Administrator or Global Administrator to add or remove administrative unit members (source).

User Administrator at the Directory level is not sufficient. Custom roles might be another option.

Creating and deleting users in the Directory is a different scope.