# Administrative Units

The `Administrative Units` page provides a list of enumerated administrative units in entire Azure. The list contains the `Display Name`, `Description`, `Member Management Restricted`, `Visibility`, `Member Count` and `Tier 0`.

<figure><img src="/files/AFBhHDijOXMmAc9Q5n6W" alt=""><figcaption><p>Administrative Units</p></figcaption></figure>

## Administrative Units Details

Details page contains the `Risk Score` of the administrative Units,`Exposure Point`, `Information` panes.

{% hint style="info" %}
You can analyze objects in the `Graph module` by clicking the `Visualize` button on the upper left side of the `Information Pane`.
{% endhint %}

<figure><img src="/files/fhlCFVGiUw27ZRwTrEzh" alt=""><figcaption><p>Administrative Units Details</p></figcaption></figure>

## Information

`Information Pane` can contain different badges to highlight important attributes.

| Badge    | Description                                                            |
| -------- | ---------------------------------------------------------------------- |
| **Tier** | Indicates that the object tier according to risk score and importance. |

`Information Pane` contains `Details`, `Users`, `Groups`, and `Devices` tabs respectively.

## Details

Details tab contains attributes below about administrative unit object.

| Attribute                            | Description                                                                                                                                                       |
| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Display Name**                     | The name of the Administrative Unit as shown in the Azure portal; used to identify and organize groups of users, devices, or groups for delegated administration. |
| **Membership Rule**                  | This field defines the dynamic membership criteria, if any. It's blank when the AU uses manual (static) membership.                                               |
| **Description**                      | An optional text field describing the purpose or usage of the Administrative Unit; this is blank if not set.                                                      |
| **Membership Type**                  | Indicates whether members are added **dynamically** (based on rules) or **assigned manually**. If not specified, the AU is likely using manual assignments.       |
| **Visibility**                       | Defines who can see the Administrative Unit. When blank, it defaults to standard visibility within the tenant based on assigned permissions.                      |
| **Membership Rule Processing State** | Shows the status of dynamic rule evaluation (e.g., `Processing`, `Completed`, or `NotStarted`). If blank, the AU does not use dynamic membership.                 |
| **Tenant ID**                        | The unique identifier (GUID) of the Azure AD tenant where the Administrative Unit resides.                                                                        |
| **Is Member Management Restricted**  | When set to `False`, it means global administrators and other authorized roles can manage members without restrictions.                                           |
| **Object ID**                        | A globally unique identifier (GUID) assigned to the Administrative Unit within the Azure AD directory.                                                            |

## Users

Users tab contains a list of users that the administrative unit is a member of. This list also contains `Enabled` and `On Prem Sync Enabled` columns to identify the status of these users.

<figure><img src="/files/MYCLZPcoWEhxnZx42lQC" alt=""><figcaption><p>Users</p></figcaption></figure>

## Groups

Groups tab contains a list of groups that the administrative unit is a member of. This list also contains `Enabled` and `On Prem Sync Enabled` columns to identify the privilege levels of these groups.

<figure><img src="/files/HirYhLmNwbQqRRRPGALY" alt=""><figcaption><p>Groups</p></figcaption></figure>

## Devices

Devices tab contains a list of devices that the administrative unit is a member of. This list also contains `Account Enabled` , `Operating System` , `Operating System Version`  and `Owner Users` columns to identify the status of these devices.

<figure><img src="/files/WRNWMe8LkTDcXeWeJiNj" alt=""><figcaption><p>Devices</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/azure-identities/administrative-units.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.