Martin Boam

Using Administrative Units for Devices in Teams Admin Center

What is it ?

The scoped Team device administration role enables you to restrict specific device administration in Teams Admin Center to specific users by using administrative units. For example you could allow local IT in a site to manage their local devices and users. Previously Teams device administrators would see all devices from all sites so this is nice addition for sure.

This leverages the use of Azure AD Administrative Units so that you can allow specific Teams Device administrators the ability to manage specific devices and users.

So lets take a look at the doc article first

https://docs.microsoft.com/en-us/microsoftteams/administrative-unit

One key point to notes from the doc article is

Do you can only use administrative units in the Teams Admin center only with the Teams devices administrator role.

Create an administrative Unit

Following Microsoft Doc lets go and first create out administrator Unit

https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-manage#add-an-administrative-unit

First off there are some prerequisites to look over before we start and make sure you have the required licences. So an administrative unit administrator needs Azure AD P1 or P2 but members of the administrative unit are covered under Azure AD free licences as i read it.

You need to be a global admin to add administrative units.

Prerequisites

  • Azure AD Premium P1 or P2 license for each administrative unit administrator
  • Azure AD Free licenses for administrative unit members
  • Privileged Role Administrator or Global Administrator
  • Azure AD module when using PowerShell
  • Admin consent when using Graph explorer for Microsoft Graph API

Head Over to Azure AD admin center and go to Manage > Administrative Units

Click Add

Enter Name and Description

Click Next:Assign roles at the bottom

Assign Administrative Role to Administrative Unit

So here i get the option to add administartive roles to the administrative unit im going to select Teams devices administrator

Now it asks me to add assignments so ill select Adele as she is local IT in London that i want to be able to manage Teams devices only for London

Click next review+create

Click Create

I now have the London Administrator Unit

Assign your Teams users and groups to Administrative Units

At first i struggled to find how to add a devices to an administrative unit then I asked the king of devices Michael Tressler who mentioned you need to add users to the administrative units for them to display in Teams Admin Center so lets go.

Adding Users

So to add a user into the administrative unit click Add member and the person names or device account that you will manage.

Teams Admin Center View

If we go to Teams Admin centre as Adele we should see the Yealink phone that Alex Wilber is using and only be able to manage devices lets look

First thing i noticed signing in i can see the administrative unit is working and so its the Teams Device administrator role as adele can only see devices in the Teams admin center

Adele only sees Alex’s phone 🙂

Lets try with a room account. I added Conf room sweepers account to the administrative unit

I also added a room account for a Surface Hub and here you go, only that hub appeared for London Administrator unit.

Switching Administrative Units

If your a member of more than one unit you can switch by clicking the Administrative unit name and switching like this

Select the unit you want to switch to and click save.

If you administrative unit doesn’t display in Teams Admin center

Make sure you have assigned the Teams Device administrator role is assigned to a user in the administrator unit, this caught me out as i forgot to do this.

Adding Groups to Administrative units

It seems at the moment although you can create a group, assign it to an administrative unit and add your user and device accounts these don’t show in Teams admin center, well it didnt for me 😦

I tried manually assigning device and user accounts to groups and using dynamic groups but no devices appeared in TAC.

The only way users or device appears in TAC for me was to add the user and device accounts directly into the administrative unit. Group didnt work at all.

I tried and waited over a day and nothing appeared so im either doing it wrong or using groups assigned to administrative units isn’t there in TAC yet.

Ill see what i can find out and will update if i get any news.

References

https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units

https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-members-add

https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-manage#add-an-administrative-unit

Posted in UncategorizedLeave a comment

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.