How to Set Up Administrative Units and Use the My Staff Portal in Microsoft Entra ID

Delegate Password Resets Securely in Microsoft Entra ID with Administrative Units and My Staff

Setting Up Administrative Units and Using the My Staff Portal in Microsoft Entra ID

Did you know that with just a few clicks, you can delegate the power to reset passwords for specific users or entire groups—without granting full administrative control? Imagine a Head of Year managing password resets for Year 11 students while staying completely hands-off with other year groups.

Microsoft Entra ID’s Administrative Units and the My Staff portal make this possible. Whether you’re a school, a business, or any organisation, this feature ensures that tasks like password resets are quick, secure, and limited to only the people who need access.

Don’t Forget to Check Out Control Alt Delete Tech Bits on YouTube! Here

Prerequisites

• Microsoft Entra ID P2 license or a Microsoft Entra ID Governance license

  or the Enterprise Mobility + Security (EMS) E5 license

• Proper Group Setup: Ensure relevant users or groups are already created and properly configured within your Entra ID tenant.

• Enable My Staff Portal for Delegation

Problem Scenario

The Head of Year needs to reset passwords for all Year 11 students without accessing accounts from other year groups or unrelated users. The My Staff portal will streamline these actions while ensuring permissions are restricted.

My Staff Portal is Enabled for Delegation

1. Navigate to Microsoft Entra Admin Center (https://entra.microsoft.com

2. Go to Identity > Users > User settings >Password Reset.

3. Set Self-service password reset to Selected or All.

4. Ensure the User Administrator role appears under Password Reset Permissions.

   

Create an Administrative Unit

1. Log in to the Microsoft Entra Admin Center with a global administrator account.

   • Go to Identity> Roles & admins > Administrative Units.

2. Click + Add to create a new Administrative Unit (AU).

3. Provide a name for the AU, e.g., Year 11 Support AU.

4. Click Review + Create, then select Create.

   

Assign a Role to the Head of Year Within the Administrative Unit

1. Go to Entra ID > Administrative Units and select Year 11 Support AU.

2. Navigate to Roles and Administrators and click + Add assignments.

3. Select the User Administrator role, which permits password resets for assigned members or groups.

4. Add the Head of Year user (e.g., head.year11@school.com) as a User Administrator for this AU.

5. Click Assign.

Add a Group of Year 11 Students to the Administrative Unit

1. Within Year 11 Support AU, go to the Members tab and click + Add members.

2. Select the Year 11 Students group, ensuring it contains all relevant students.

3. Confirm the group is added as a member of the AU.

Tip: Adding groups simplifies management—any new students added to the group will automatically inherit the permissions of the AU.

---

Test Permissions

Testing with the Head of Year

1. Open a private/incognito browser window.

2. Go to https://mystaff.microsoft.com

3. Log in with the Head of Year’s credentials (e.g., head.year11@school.com).

4. You’ll see a simplified interface displaying the Year 11 Students group or its members.

5. Test resetting a password for a student in the group (this action should succeed).

6. Verify that students from other year groups or users outside Year 11 Students are not visible in the Head of Year’s view.

Testing with a Global Administrator

1. Log in to the Entra Admin Center as a global administrator.

2. Navigate to Users and confirm the global administrator can reset passwords for all users.

---

Publish the My Staff Portal as a Tile in Microsoft 365

Create a Custom App Tile

1. Go to the Microsoft 365 Admin Center and navigate to Settings > Org Settings.

2. Under Services, select Custom App Launcher Tiles.

3. Click + Add a custom tile and provide the following details:

   • Name: My Staff

   • URL: https://mystaff.microsoft.com

4. • Description: Manage Year 11 student accounts and reset passwords.

   • Icon: Upload an image or use a default one.

5. Save the tile.

Test the Tile

1. Log in as the Head of Year.

2. Ensure the My Staff tile appears in the Microsoft 365 App Launcher.

3. Clicking the tile should redirect to the My Staff portal.

Loading...

Key Benefits of Group-Based Delegation

Simplified Management: Adding a group (e.g., Year 11 Students) eliminates the need for manual user assignments within the AU.

Dynamic Updates: If the group is dynamic, new members are automatically included in the AU, saving time and effort.

Clean Interface: The My Staff portal ensures the Head of Year only interacts with relevant users, reducing confusion and improving usability.