Effective use of Azure AD Administrative Units [Azure AD AUs]

I look at the Azure AD portal with curiosity to see what are the new features and then want to play around with them to better understand it’s usage. This is not a latest feature, but it’s out of the preview mode and this is me writing the effective use of Azure AD AUs.

How it started Vs. How it’s going

It looks like this is the cloud way of segmenting user access among the admins. In the traditional Active Directory world, there are Organizational Units (OUs) and then you have the delegation rights. If you have OUs according to sites and need to provide access to admins who are responsible for that site, you can add the admin username or the security group and configure the access for that OU for them.

The Administrative Units or AUs are similar to the above concept. Azure AD doesn’t have OUs and the objects are not manageable as the traditional AD. Hence the AUs and Roles.

Limitations

No nested groups right now and all the groups that needs to be managed by the admins should be in the AUs

By Adding Groups in to the AUs will not give you the opportunity to manage users in it automatically. This will give you the access over the group to manage it as an admin provided that admin has the Group Administrator Role assigned in the AU.

Only limited to few Administrative Roles at the moment

Azure AD P1 license required to configure Azure AD AUs


How to create an AU and add users and groups?

  1. Login to aad.portal.azure.com
  2. Go to Azure Active Directory
  3. Go to Administrative Units
  4. Add > Properties

5. Set the name as above, hit Next. This will allow you to add the Admin user accounts who will be required to perform tasks.

6. Next > Create

This will now create the AU for you

7. Go back to the Administrative Units > Look for the created AU

8. Add members – This allows you to add users manually

9. Add Groups

In this way the admin who has the Groups Administrator role have access over those Groups in the AU.

Add Groups

Groups can be viewed from the Azure AD portal, apart from the groups in the AU, all other groups will be Read-Only.

10. Go to Roles and Administrators tab and add/ remove/ change admin roles according to the requirement

Provide Groups Administrator role if that Admin needs to manage certain groups. Any Group type is acceptable.


How to access the scope?

Once that admin logs in to the Admin portal or to the Azure AD portal, they will get the access to manage users and groups.

Admin Center – Scoped Users will be visible and the admin can manage users according to the Administrative Role provided

Azure AD portal – All User and Groups will be visible in the portal. However the admin will have access to manage the objects IF they are presented in the AU.


Use PowerShell

  1. Install the latest AzureAD Preview module – PowerShell Gallery | AzureADPreview 2.0.2.129 and connect

Import-module AzureADpreview

Connect-module AzureAD

2. Create AAD AU

New-AzureADMSAdministrativeUnit -Description “Sydney office users” -DisplayName “Sydney-Office”

3. Add users

$administrativeunitObj = Get-AzureADAdministrativeUnit -Filter “displayname eq ‘Sydney-Office'”
$UserObj = Get-AzureADUser -Filter “UserPrincipalName eq ‘suffix@domain.com'”
Add-AzureADMSAdministrativeUnitMember -ObjectId $administrativeunitObj.ObjectId -RefObjectId $UserObj.ObjectId

4. Add Groups

$administrative unitObj = Get-AzureADAdministrativeUnit -Filter “displayname eq ‘Sydney-Office'”
$GroupObj = Get-AzureADGroup -Filter “displayname eq ‘GROUPNAME'”
Add-AzureADAdministrativeUnitMember -ObjectId $administrativeunitObj.ObjectId -RefObjectId $GroupObj.ObjectId

Simple script to Bulk Add users

1. Find the ObjectID of the AU

get-azureadadministrativeunit

2. Prepare the CSV file with UPNs.

import-csv “C:\CSV file location.filename.csv”| foreach{Add-AzureADAdministrativeUnitMember -ObjectId <object ID of the AU found above> -RefObjectId (Get-AzureADUser -objectid $_.upn).ObjectID}


Use PIM (Privileged Identity Management)

You can use those above roles in AU to scope the PIM settings. In that way the admins who are in those roles can be further scoped out with Privileged Access settings. Read the Doc
Azure AD P2 required


Final Words/ Improvements

Like to see more Administrative Roles that can be assigned to the AUs and also you can’t dig deep in configuring roles. At least for now. Would like to see more customizable version of this.

Groups will not add the users in it. Users should be manually added. If this was available, could have used the Dynamic Groups along with an AD attribute so any user who has the attribute will get auto added to the AU. Nice to see some automation in the future.

Admin Center has less accessibility than AAD Portal – If both can show equal details, that would be nice.

MS Docs for AAD AU FAQ Administrative units troubleshooting and FAQ – Azure Active Directory | Microsoft Docs

feature image: Access Vectors by Vecteezy

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.