Administrative units in AAD and some preview features

What are Administrative units?

A management unit is an Azure AD resource that can be a container for other Azure AD resources. The management unit can only contain users, groups, or devices.

The management unit limits the permissions within the role to any part of the defined organization. For example, you can use administrative units to delegate roles to regional support specialists so that you can only manage users in the region you support

License requirements

Using administrative units requires an Azure AD Premium P1 license for each administrative unit administrator, and an Azure AD Free license for each administrative unit member. If you are using dynamic membership rules for administrative units, each administrative unit member requires an Azure AD Premium P1 license. 

Currently supported scenarios

As a Global Administrator or a Privileged Role Administrator, you can use the Azure portal to:

  • Create administrative units
  • Add users, groups, or devices as members of administrative units
  • Manage users or devices for an administrative unit with dynamic membership rules (Preview)
  • Assign IT staff to administrative unit-scoped administrator roles.

Administrative unit management

PermissionsMicrosoft Graph/PowerShellAzure portalMicrosoft 365 admin center
Create or delete administrative units✔️✔️
Add or remove members individually✔️✔️
Add or remove members in bulk by using CSV files✔️No plan to support
Assign administrative unit-scoped administrators✔️✔️
Add or remove users or devices dynamically based on rules (Preview)✔️✔️
Add or remove groups dynamically based on rules

User management

PermissionsMicrosoft Graph/PowerShellAzure portalMicrosoft 365 admin center
Administrative unit-scoped management of user properties, passwords✔️✔️✔️
Administrative unit-scoped management of user licenses✔️✔️
Administrative unit-scoped blocking and unblocking of user sign-ins✔️✔️✔️
Administrative unit-scoped management of user multi-factor authentication credentials✔️✔️

Group management

PermissionsMicrosoft Graph/PowerShellAzure portalMicrosoft 365 admin center
Administrative unit-scoped management of group properties and membership✔️✔️
Administrative unit-scoped management of group licensing✔️✔️

Device management

PermissionsMicrosoft Graph/PowerShellAzure portalMicrosoft 365 admin center
Enable, disable, or delete devices✔️✔️
Read Bitlocker recovery keys✔️✔️

Limitations

Here are some of the constraints for administrative units.

  • Administrative units can’t be nested.
  • Administrative unit-scoped user account administrators can’t create or delete users.
  • A scoped role assignment doesn’t apply to members of groups added to an administrative unit, unless the group members are directly added to the administrative unit. For more information, see Add members to an administrative unit.
  • Administrative units are currently not available in Azure AD Identity Governance.

Roles to AU

GUI

Open https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AdminUnit

Create a AU and assign roles

Roles that can be applied.

PowerShell way

But there is also new features

Devices

From GUI

PowerShell way

And also for membership.

Dynamic membership

From GUI

Seems really familiar.

So You could also use attributes from on-premises AD if needed.

PowerShell way

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *