Quite some time ago I blogged about Azure AD Administrative Units (AU). The details can be found in the found through the following blog posts:
- (2019-07-04) Azure AD Delegation Through Roles And Administrative Units – The Good, The Bad And The Ugly (Part 1)
- (2019-07-07) Azure AD Delegation Through Roles And Administrative Units – The Good, The Bad And The Ugly (Part 2)
–
Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units
–
Since then many things have changed, and today it is a valuable feature to delegate management of a set of objects to other groups of people. It is different than OUs in Active Directory (AD). OUs in AD are for delegating management and applying policy. AUs in Azure AD are for delegating management only.
Figure 1: Administrative Units In Azure AD – From The Administrative Unit Perspective
–
Objects
Today AUs only support user and group objects, both cloud native and hybrid/synched. Those objects are not actually child objects of an AU. The objects are assigned to one or more AUs. The assignment basically behaves like a group membership. By allowing objects being assigned to multiple AUs, multiple groups of admins can manage the same set of objects.
Objects can be assigned to an AU
- …from the AU perspective => select AU, then add member object
OR
- …from the object perspective => select object, then assign an AU
Figure 2: User Objects Member Of A Certain Administrative Unit
–
Figure 3: Group Objects Member Of A Certain Administrative Unit
–
Figure 4: Administrative Units In Azure AD – From The Object (In This Case: User) Perspective
–
Administration
The main and only goal of AUs is the delegation of administration of user and group objects. At tenant level, Azure AD supports many administrative roles. Some of those roles, that focus on user and group objects throughout the complete Azure AD tenant, can therefore also be scoped at AU level allowing to perform the tasks supported by the administrative role on the objects that are assigned to the AU. In figure 5 you can see the administrative roles currently supported by an AU.
Figure 5: Administrative Units In Azure AD – Available Delegation Roles For Each Administrative Unit
–
This does not mean, delegation is configured by default. No, you still need to configure that by either assigning users and/or groups the respective role scoped for the corresponding AU. In terms of users you can assign any user the supported roles scoping the AU. With regards to groups, you can only assign groups only the supported Azure AD roles, if those groups have been created to support Azure AD role assignments. That support cannot be changed after the creation of the group. it must be configured when creating the group.
When looking at a specific Azure AD administrative role, you will be able to see what the scope of management is and which object (group or user) has been configured for that specific scope.
–
Assigning Objects To AUs
It is possible to add or remove assignments of individual objects, through either the Azure AD Portal, PowerShell or the Microsoft graph. Additionally, through the Azure AD Portal it is possible to bulk add or remove objects to/from the AU. When deleting an AU, only the AU, the delegating configuration (role assignment scoped to the AU, not the role itself) and the assignment of objects (users and groups, but not the objects themselves) will be deleted with it.
Figure 6: Administrative Units In Azure AD – Supported Bulk Operations
–
Another thing that would be very interesting is auto assigning users and groups to Administrative Units instead of all the current manual work that is needed. Dynamic assignment similar to dynamic groups would be very welcome and definitely a serious win!
Nevertheless, if you have something that can either leverage the Azure AD PowerShell module or the Microsoft Graph API, dynamic assignment is possible as long as you have something external to Azure AD (IAM System?) to determine the logic of adding or removing objects to/from AUs. More about these thoughts in a next blog post! Make sure to read that one! 
–
PowerShell
The Azure AD PowerShell module supports CMDlets to manage AUs through either the Azure AD graph (deprecated!) (*-AzureADAdministrativeUnit*) or the Microsoft graph (preferred!) (*-AzureADMSAdministrativeUnit*)
–
Cheers,
Jorge
————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
IAMTEC
Identity | Security | Recovery
https://iamtec.eu/
————————————————————————————————————————————————————-
Jorge's Quest For Knowledge! 