Administering Microsoft 365 organizations added on different levels

Company administrators have full access to the Microsoft 365 organizations that are added to the customer tenant level.

Company administrators have limited access to the organizations that are added to a unit. In these organizations, shown with the unit name in brackets, company administrators can do the following:

• Recover data from backups.

  Company administrators can recover data to all organizations in the tenant, regardless of the level on which these organizations are added.

• Browse backups and recovery points in backups.
• Delete backups and recovery points in backups.
• View alerts and activities.

Company administrators, when acting on the customer tenant level, cannot do the following:

• Add Microsoft 365 organizations to units.
• Delete Microsoft 365 organizations from units.
• Synchronize Microsoft 365 organizations that were added to a unit.
• View, create, edit, delete, apply, run, or revoke protection plans for data items in the Microsoft 365 organizations that are added to a unit.

Unit administrators and company administrators acting on the unit level have full access to the organizations that are added to a unit. However, they do not have access to any resources from the parent customer tenant, including the protection plans that are created in it.