Friday, September 27, 2024

Teams Admin Units for device management

As organizations grow, managing roles and devices efficiently becomes critical. Microsoft Entra ID’s administrative units allow for precise role assignment and scope, ensuring admins access only the necessary resources. The recent enhancement in Microsoft Teams enables device management within administrative units, allowing admins to control devices in specific regions or departments. For instance, an IT admin can now manage devices only in their assigned locations, without viewing or affecting others globally. This powerful combination strengthens security with principle of  least privilege (PoLP) and simplifies device management with improved organizational efficiency. This is the first addition with ongoing development of administrative units in Teams Administration.


In the first quarter of 2024, Microsoft launched a new administrative role to assist managing Telecom features in Teams. 

Earlier this month, the next step in administrative support followed with the announcement of administrative units for device admins.

Reference Links:

Use Microsoft Teams administrator roles to manage Teams - Microsoft Teams | Microsoft Learn

Assign or list Microsoft Entra roles with administrative unit scope - Microsoft Entra ID | Microsoft Learn

Manage devices with administrative units - Microsoft Teams | Microsoft Learn

Microsoft Teams: Administrative Units for Teams Administration
We are excited to announce the availability of administrative units (AUs) for Teams administration. AUs are a way to delegate admin roles and delegate administration to a subset of users in your organization, based on attributes such as department, location, or business unit. With AUs, you can create more granular and flexible management scenarios for your Teams environment. You can assign the following roles, allowing them to manage only the users, groups & devices within their AU: Teams Administrator Teams Device Administrator Teams Communication Administrator Teams Communication Support Engineer Teams Communication Support Specialist Teams Telephony Administrator
  • Feature ID: 402186
  • Added to roadmap: 6/26/2024
  • Last modified: 8/6/2024
  • Product(s): Microsoft Teams
  • Cloud instance(s): Worldwide (Standard Multi-Tenant)
  • Platform(s): Desktop, iOS, Android, Mac
  • Release phase(s): General Availability

Lets take a closer look:

Global admins can create administrative units to segregate Teams Device management across the enterprise. Following the documentation links above, starting in EntraID, to create an admin unit.




With no user devices assigned to the scope of the Admin Unit - while Lee (our device admin) can access the Teams Admin Center, and view the device menus, yet no devices are visible. This is where I needed to do some investigation ... do we add the user account who access the device or just the EntraID device itself. The documentation wasn't explicitly clear here so I hope this post helps.




Once I added the devices user account to membership - the scoped admin unit rules took place and we are able to see the devices just for that admin unit - as shown below for Lee.



and an MTR just to be thorough.

For reference - Adele is a Device Admin with non-scoped permanent role assignment and able to see the entire estate of devices.



Hope this post helps get you started with Admin Units for Teams device administration.






No comments:

Post a Comment

Getting Started with Teams Queues App: Features, Voice Application Policy Settings, and Roles

Welcome to the world of Microsoft Teams Queues App! This powerful tool is designed to streamline your team's communication and enhance p...