Describe the bug
A few roles, like "Helpdesk Administrator" can be scoped to "Administrative Units", so that in this example, only other users in that administrative unit can get their password reset by the Helpdesk Admin in question. Bloodhound ignores this, which leads to false positives in PasswordReset edges.

To Reproduce
Steps to reproduce the behavior:

1. Setup an administrative units "AU1".
2. Give a user user1 "Helpdesk Administrator" scoped to the "AU1" AU.
3. Create a second user user2 which is not in "AU1".
4. Bloodhound thinks that user1 owns user2 through PasswordReset.

Expected behavior
Bloodhound should consider that AzureAD roles can be scoped to Administrative Units.