Administrative Units - are they a possible solution in this case?

Hi,
I'm looking at a situation where a company has two divisions, which we will call Corporate and Operations. They are geographically distinct as well as having significantly different requirements in terms of security, data access, mobile device control, applications requirements and other factors.
At the current time, for mostly historical reasons, all IT is run from Operations, primarily based on a Microsoft 365 Tenancy. 

This isn't working well, and for a variety of reasons it seems it would be significantly preferable if the current Admins dealt with, and could only access, things related to Operations while new admins deal with Corporate. If any admin is going to have access to everything it needs to be Corporate (e.g. Operations admins should not be able to see Corporate emails, the reverse is less of an issue)

A solution they are seriously considering is simply starting a new Microsoft 365 Tenancy for Corporate and then linking between them as required, possibly using a Multi Tenant Organization. The divisions appear to be distinct enough this could function quite well. They own several domains and apparently, email addresses are currently split divisionally to two of those domains.

However, I have just come across Administrative units and wonder if an alternative might be to use those? I'm still on the learning curve for 365 so despite having a look at the documentation it's currently unclear to me what the powers and restrictions that can be assigned to the administrator of a given unit.