Administrative units in Azure Active Directory

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

In this post, the administrative components of Azure Active Directory are described (Azure AD). An Azure AD resource called an administrative unit can house other Azure AD resources. Only users, groups, or devices are permitted in an administrative unit.

Permissions in a role are restricted by administrative units to any area of your organization that you choose. For instance, you could use administrative units to provide regional support specialists access to the Helpdesk Administrator role so they can only manage users in the area they support.

Scenario for deployment

In organizations made up of independent divisions of any kind, it may be advantageous to limit the administrative reach by utilizing administrative units. Think about the case of a major institution composed of numerous independent schools (School of Business, School of Engineering, and so on). Each school has a group of IT administrators who manage users, implement policies, and monitor access.

In organizations made up of independent divisions of any kind, it may be advantageous to limit the administrative reach by utilizing administrative units. Think about the case of a major institution composed of numerous independent schools (School of Business, School of Engineering, and so on). Each school has a group of IT administrators who manage users, implement policies, and monitor access.

An administrative central could:

· Establish a management division for the school of business.

· Make sure that only employees and students from the School of Business are included in the administrative unit.

· In the School of Business administrative unit, create a role with administrative control only over Azure AD users.

· Include the IT team from the business school in the role’s remit.

Constraints

These are a few of the restrictions that apply to administrative units.

. It is impossible to nest administrative units.

· Users cannot be added or removed by administrators of user accounts with administrative unit scope.

· Azure AD Identity Governance does not presently support administrative units.

Groups

When a group is added to an administrative unit, the group itself enters the administrative unit’s management scope but not the group’s members. In other words, an administrator with an administrative unit scope can manage group properties like group name or membership but not a user or device properties (unless those users and devices are separately added as members of the administrative unit).

Group members (users) must be added directly as members of the administrative unit in order for the User Administrator to handle the user properties or user authentication procedures of specific group members.

Prerequisites for a license

Each administrative unit administrator must have an Azure AD Premium P1 license, and every administrative unit member must have an Azure AD Free license, in order to use administrative units. Each administrative unit member needs an Azure AD Premium P1 license if you’re utilizing dynamic membership rules for administrative units. To locate the appropriate license for your needs

 

Managing administrative units

Using the Azure portal, PowerShell cmdlets, and scripts, or the Microsoft Graph API, you can administer administrative units. See: for further details.

· Add or remove administrative units

· Add people, groups, or devices to an administrative unit.

· Utilize dynamic membership rules to control users or devices for an administrative unit (Preview)

· Assign Azure AD roles with administrative unit scope

· Work with administrative units: explains using PowerShell to interact with administrative units.

· Administrative division Support for graphs: gives administrative units comprehensive documentation on Microsoft Graph.

For more information, contact Professional Labs, the Best Cloud Managed Services Provider UAE

Contact Us