What’s an Azure AD administrative unit?

Hi again,

as part of any Intune complex deployment, RBAC is part of architecture, planning, and lots of ideation sessions.

This post is covering why AAD AU (Azure AD administrative units) is important.

If you’re planning to delegate access to Intune https://endpoint.microsoft.com/ to Global Service Desk, Global IT teams, or Local IT Teams when that’s the case you need should consider leveraging AAD AU as part of our deployment.

  • segregating users, groups, and devices
  • retrieving bitlocker recovery key in Intune

AAD AU alongside a custom role within “Cloud Device Administrator” is a requirement if your delegated Intune Admins need access to BitLocker recovery keys on a Windows 10/11 device management. Otherwise, it will fail from the Microsoft Intune admin center \ Devices \ Windows pane


If you have HAADJ (Hybrid Azure AD joined) scenario be aware of continuous device cleanup and a way to identify devices by LocationID, Business Units, Verticals, etc.

There’s a known issue about HAADJ devices when you have 02 (two) devices in AAD with the same Name (from Autopilot) where 01 device entry is shown HAADJ with MDM = None and 01 device’s entry is shown as AADJ with MDM = Intune in this case if you’re using AADS Synced Security Group for device management you’ll have issues using this sec. groups for Intune assignments. Where OS updates, upgrades, application deployment, configuration settings, and scope tags in Intune will fail for some devices due to device mismatching.

HAADJ device => MDM = none = > assignment error

AADJ device => MDM = intune => assignment error (for ADDS synced sec. group groups where HAADJ is the object managed in local AD)

HAADH device => MDM = intune => no assignment error

A workaround would be => automation in place to identify devices by name that are HAADJ and AADJ where MDM = Intune is true then add the device objectID to the targeted groups in use at Intune assignments.

How to retrieve BitLocker recovery key




AAD AU limits



Thiago Beier
Toronto, Canada


One thought on “What’s an Azure AD administrative unit?

Comments are closed.