**🧪 Facsimile Project: Department Delegation with Administrative Units**

**🎯 Objective**
Demonstrate how Microsoft Entra Administrative Units (AUs) can be used to decentralize identity management. Simulate scoped role assignments using built-in roles—Password Administrator, User Administrator, and Authentication Policy Administrator—to understand how delegated permissions behave across departmental boundaries, including multi-AU edge cases.

**🧱 Simulated Organization Setup**
🏢 Departments
HR
Sales
IT

**👥 Test Users**
hr.user1@contoso.com
sales.user1@contoso.com
it.user1@contoso.com
shared.user@contoso.com (belongs to both HR and Sales)

**🧑‍🤝‍🧑 Groups (optional layer)**
HR-Team
Sales-Team
IT-Team

**🔧 Simulated Actions and Screens**
**1. Create Administrative Units (AUs)**
Microsoft Entra Portal → Identity → Administrative units → + New administrative unit
Create:

AU: HR Department
AU: Sales Department
AU: IT Department

**2. Assign Members to AUs**
AU > Select > Members → + Add member

Assignments:
hr.user1 → HR Department
sales.user1 → Sales Department
it.user1 → IT Department
shared.user → HR Department + Sales Department

**3. Delegate Scoped Roles at the AU Level**
AU > Roles and administrators → Assign Role
Simulate assignment of:

Password Administrator to manager.hr@contoso.com scoped to HR Department

User Administrator to manager.sales@contoso.com scoped to Sales Department

Authentication Policy Administrator to manager.it@contoso.com scoped to IT Department

**🔐 Password Administrator**
Primary Use Case: Limited credential recovery support without broader user management privileges.

Key Capabilities:

Reset passwords for non-administrators (standard users only).

Force password change at next sign-in.

View users in scope (if AU-scoped).

Limitations:

Cannot reset passwords for administrators or privileged roles.

Cannot modify user profile details or group memberships.

Limited visibility to users only within the assigned scope (e.g., HR AU).

SC-300 Test-Relevant Point:
Ideal for delegated helpdesk functions — scoped safely using AUs to limit risk.

**👤 User Administrator**
Primary Use Case: General user account and group management at the directory or AU level.

Key Capabilities:

Create and manage user accounts.

Reset passwords for both standard and administrative users.

Assign or remove users from groups.

Update user properties and directory role assignments (within scope).

Invite external users (B2B).

Limitations:

Cannot manage Conditional Access or authentication policies.

Cannot elevate users to Global Administrator.

SC-300 Test-Relevant Point:
Used when AU-based decentralization of full user lifecycle tasks is required.

**🔧 Authentication Policy Administrator**
Primary Use Case: Management of user sign-in behavior and authentication methods.

Key Capabilities:

Manage:

Password protection policies

Authentication method policies (e.g., enable/disable MFA options)

Authentication strength settings

View and configure registration enforcement settings.

Limitations:

Cannot modify user accounts directly.

Cannot reset passwords or manage groups.

Scoped to users via AUs; only users in scope appear in policy interfaces.

SC-300 Test-Relevant Point:
Role becomes increasingly relevant when passwordless, MFA, or registration policy enforcement is scoped to specific teams or departments.

✅ These three roles are among the most commonly used built-in roles in Microsoft Entra ID (formerly Azure AD), especially in delegated administration scenarios using:
Administrative Units (AUs)

Tiered IT support models

Scoped access for helpdesk, HR, or IT teams

**🔎 Why These Roles Matter in Practice and on the SC-300:**

**Password Administrator**

This is the most basic delegated support role.

It allows front-line IT or HR to assist with user password resets without risking exposure to broader directory configuration.

Often the first role scoped to AUs in decentralized environments.

**User Administrator**

Offers broad control over users and groups, suitable for departmental IT leads or power users.

Delegated per AU or globally, depending on how much trust is granted.

Also comes up frequently in B2B (guest access) and lifecycle management.

**Authentication Policy Administrator**

Critical in environments where MFA, passwordless sign-in, or Conditional Access enforcement is evolving.

Often used centrally by identity security teams, but can be scoped via AUs in larger orgs.

Its use is increasing with Microsoft’s shift toward identity-driven Zero Trust.

**🧠 Summary Insight:**
These roles represent tiered levels of access that map directly to real-world operational patterns:

**Support ➝ Password Administrator**

**Ops ➝ User Administrator**

**Security/Identity ➝ Authentication Policy Administrator**

**4. Test Scope Boundaries**
Explore how role scoping affects management:

**Scenario	Expected Outcome**
manager.hr resets hr.user1 password	✅ Success
manager.hr resets sales.user1 password	❌ Not permitted
manager.sales manages shared.user	✅ Can manage shared.user, but only HR-scoped properties
manager.it manages shared.user	❌ Not permitted

**Scenario 1: Manager.HR resets HR.User1 password**
Expected Outcome: Permitted

Why and How:

Manager.HR is assigned the Password Administrator role scoped to the HR AU.

HR.User1 is a member of the HR AU, so the role applies.

When Manager.HR opens the Microsoft Entra portal:

They navigate to Users > HR.User1.

The "Reset Password" button is available and functional.

No access errors occur because scoping aligns.

**Scenario 2: Manager.HR attempts to reset Sales.User1 password**
Expected Outcome: Not Permitted

Why and How:

Sales.User1 is in the Sales AU, not in the HR AU.

Manager.HR’s role does not extend beyond the HR AU.

In the portal:

If Manager.HR searches for Sales.User1, they will not see the user in the directory.

Even if accessed indirectly (e.g., via group membership), action buttons like “Reset Password” are missing or greyed out.

**Attempting REST API calls with Graph Explorer would return a 403 Forbidden error unless scope includes Sales AU.**

**Scenario 3: Manager.Sales manages Share.User**
(Share.User is assigned to both Sales and HR AUs)

Expected Outcome: Permitted, but only within the Sales AU context

Why and How:

Manager.Sales holds User Administrator scoped to the Sales AU.

Share.User is multi-scoped (in both Sales and HR AUs).

Microsoft Entra scoping rules apply "scope filtering", meaning:

Manager.Sales can:

View Share.User in the portal.

Modify attributes that are not AU-exclusive (e.g., general profile settings).

Reset passwords only if User Administrator grants that right (which it does).

Cannot:

Assign Share.User to groups outside the Sales AU.

Edit AU-specific policies if restricted to HR.

⚠️ Clarification on confusing prior statement:
Previous note saying “can manage only HR scoped properties” was incorrect/confusing.
The correct logic is: Manager.Sales can manage Sales AU–scoped access only.
They do not see or control any access tied to the HR AU.

**Scenario 4: Manager.IT manages Share.User**
Expected Outcome: Not Permitted

Why and How:

Manager.IT is scoped to the IT AU, and Share.User is not in IT AU.

The role is Authentication Policy Administrator, which:

Only manages conditional access policies, authentication methods, etc.

Requires user visibility to function — and AU scoping prevents that visibility here.

In the portal:

Share.User does not appear in directory search.

Role-related settings (like enforcing MFA) are not applicable to users outside the scope.

Attempting to browse policy interfaces yields no editable user list.

**Summary Learning Points:**
Role scope visibility is enforced in the Entra portal UI and API calls.

Multi-AU users are visible to all scoped admins, but editable attributes depend on admin role + AU scope.

Built-in roles behave differently based on whether they target user management (e.g., reset password) or policy management (e.g., conditional access).

Test environment simulation is critical to building intuition about real-world delegation and isolation in large organizations.



**🔍 Reflections and Concepts**
**🧠 Key Learnings**
Microsoft Entra built-in roles behave differently depending on their function—password resets, user lifecycle management, or policy control—and AU scope strictly governs their reach.

A user assigned to multiple AUs is visible and partially manageable by admins scoped to any of those units, but only within the role’s allowed actions and the AU’s boundary.

Password Administrator is a minimal risk role for frontline support; User Administrator enables deeper account and group changes; Authentication Policy Administrator governs how users authenticate—but requires scoped visibility to take effect.

This project mirrors real-world delegation needs in large organizations, where departments require autonomy without compromising security or overprovisioning.

Understanding the interaction between role type and AU scope is foundational to mastering Microsoft Entra identity management and performing well on SC-300.

**⚠️ AU Limitations**
No nesting: AUs do not support hierarchy.

No inheritance: A tenant-wide role overrides AU limitations.

Role scoping is strict: Only affects users inside the AU — groups and devices are not in scope unless explicitly added.

