Restricted Management Administrative Units (RMAUs) in Microsoft Entra ID provide a secure way to isolate and protect sensitive users, devices, and security groups. When you enable restricted management, even tenant-wide roles like Global Administrator lose access unless explicitly assigned within that Administrative Unit (AU). This feature prevents accidental or malicious changes to high-value accounts.
RMAUs should be part of every organisation’s identity governance strategy. They go beyond standard Administrative Units by enforcing hard boundaries between administrators and the resources they manage.
Key Reasons to Implement
Reduce insider risk: Prevent unintended or malicious admin actions on sensitive accounts.
Maintain operational separation: Allow regional IT teams or specific departments to manage their own users without overlapping responsibilities.
Enhance compliance and auditing: Ideal for regulated sectors where admin access must be demonstrably limited.
Protect emergency or break-glass accounts: Stop other admins from tampering with high-privilege or recovery accounts.
Support zero-trust administration: Enforce that every admin must be explicitly scoped before gaining access.
RMAUs are one of the few Entra features that even a Global Administrator cannot override unless they’ve been granted permission within that specific AU
Licensing Requirements
Each administrator managing an RMAU must have at least Microsoft Entra ID P1. The users, devices, or groups inside the RMAU can remain on the free tier.
How to Create a Restricted Management Administrative Unit
Go to Roles & administrators > Administrative units.
Create a New Administrative Unit
Select + Add to create a new AU. Name it something descriptive, such as Executive Protection AU. Under Restricted management administrative unit, set this option to Yes.
Restricted Management Administrative Unit
Assign Scoped Admin Roles
Select the Roles and administrators tab within the AU > click + Add assignment. Choose a role such as User Administrator and assign it to a specific admin account.
User Administrator Restricted Management Administrative Units
Test Restricted Access
Now sign in with a Global Administrator account (not assigned to that AU).
Now add the members to the AU and then try to modify or reset the password of a user inside the RMAU.
You’ll see an error message similar to:
Restricted management admin unit
“This user is a member of a restricted management administrative unit. Management rights are limited to administrators scoped on that administrative unit.”
This user is a member of a restricted management administrative unit. Management rights are limited to administrators scoped on that administrative unit.
Validate Audit Logs
Go to Monitoring & health > Audit logs. Filter the activity by “AdministrativeUnit” or “RoleManagement” to see the creation and modification actions.
Objects Supported by RMAUs
Object Type
Supported
Notes
Users
Yes
Can restrict password resets and edits
Devices
Yes
Useful for Privileged Access Workstations
Security Groups
Yes
For role-assignable groups only
Microsoft 365 / Distribution Groups
No
Not supported
Limitations
Once created, a restricted AU cannot be converted to unrestricted.
Nested RMAUs are not supported.
Some governance tools such as Access Reviews, PIM, and Entitlement Management do not yet fully support RMAUs.
Only administrators scoped to that AU can modify or manage members.
Deletion of an RMAU may take up to 30 minutes before restrictions lift.
Imagine a large academy trust or business with multiple departments. The IT team needs to protect leadership accounts, HR staff, and finance groups from being changed by local admins.
You could:
Create an AU named Senior Leadership RMAU.
Add all leadership user accounts and a security group used for payroll systems.
Assign only the Security Team Admins group as scoped administrators for that AU.
Leave other admins to manage day-to-day accounts outside this AU.
Now, if someone from the helpdesk attempts to modify one of those protected users, even if they have a tenant-wide admin role, the action will fail.
This ensures high-value accounts remain secure, while normal admin functions continue unaffected elsewhere in the tenant.
RMAUs help enforce true administrative boundaries in your tenant. They’re particularly effective when combined with:
Privileged Identity Management (PIM) – to control when scoped admins can activate roles.
Audit Logs – for visibility of blocked actions and scope assignments.
Conditional Access – to ensure admins managing these AUs sign in from compliant or secured devices.
For IT teams managing hybrid or multi-school environments, RMAUs provide accountability, reduce risk, and simplify compliance reporting.
Do Global Administrators really lose access to RMAU objects?
Yes. Global Admins cannot modify, delete, or reset passwords for objects in an RMAU unless explicitly assigned a scoped role inside that AU
Can I move users or devices between restricted and unrestricted AUs?
Yes, but you must have the appropriate scoped permissions. Moving objects in or out of a restricted AU temporarily removes protection until they’re re-scoped.
Do RMAUs affect Intune device policies or Conditional Access?
No. RMAUs limit administrative actions, not policy application. Devices inside an RMAU still receive policies and configurations normally.
Can I use RMAUs with automation or Graph API scripts?
Yes. Graph API supports scoped role assignments and AU operations. Any automated process must authenticate with an account that has permission for that specific AU.
Restricted Management Administrative Units bring a genuine shift in how Entra administrators handle sensitive identities. By implementing RMAUs, you create a separation between “who can manage” and “who owns the data”, aligning perfectly with zero-trust principles.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
