- Azure AD without on-prem Windows Active Directory? - Mon, Oct 25 2021
- An overview of Azure security - Mon, Mar 29 2021
- An introduction to Azure AD administrative units - Wed, Jan 6 2021
The principle of least privilege states that users should have the minimum privileges necessary to perform a function or task. Minimal privileges are critical to securing any environment, including Azure AD. But for many organizations, Azure AD presents a problem. An organization may be divided by region, business unit, or department but rely on a single Azure AD tenant. How do they assign rights to a service desk for a specific region or department and limit access to only the users and groups they support?
For Windows AD, this problem is solved by delegation of control. A user or group is delegated rights to the organizational unit (OU) that contains the managed users and groups. Azure AD, however, is a flat directory and lacks OUs. This is the problem that Azure AD administrative units solve. Administrative units are containers for users and groups that enable delegating administrative rights to specific users.
Without Azure AD administrative units, assigning a user to the User Administrator role in Azure AD gives them rights to manage all Azure AD users. With administrative units, the user is delegated the same role, User Administrator, but that role only applies to the specified administrative unit. The administrative unit contains the users and groups that are under the scope of management.
Azure AD administrative units are a good option for enforcing the principle of least privilege, but there are some considerations. Unlike Windows AD OUs, where user objects exist in the OU, users are members of an administrative unit. This distinction is important because members have to be added or removed from an administrative unit to be included or excluded from the scope of management. Also, adding users to an administrative unit dynamically based on an object property is not supported.
Groups can also be added to the scope of management for an administrative group. Once added, group properties, members, and licensing settings can be updated. However, the users in that group are not included in the scope of management. Administrative unit management does not apply to the users in the group.
Administrative group inheritance
Lack of dynamic membership and group inheritance may appear to be significant limitations, but there is a good reason for these restrictions. The only roles that can create, manage, or remove administrative units are Global Admins and Privileged Role Admins.
If dynamic membership were allowed, it would be possible for someone other than a Global Admin or Privileged Role Admin to modify the user attribute and change administrative unit membership. For example, if an attribute such as "department" were sourced from Windows AD, a Windows AD Admin could modify the attribute and thereby change administrative unit membership. The same goes for group membership. If someone other than the Global Admin or Privileged Role Admin had the ability to change group membership, they could also modify administrative unit membership. Both of these scenarios would diminish the integrity of the administrative unit.
Below is a list of permissions available to manage administrative units along with the methods available for management. Notice that there is an option to bulk add and remove users based on a CSV file. Bulk operations by CSV file is a welcome option to update a large number of objects.
| Permissions | Graph PowerShell |
Azure Portal | Microsoft 365 Admin Portal |
| Creating and deleting administrative units | Supported | Supported | Not Supported |
| Adding and removing administrative unit members individually | Supported | Supported | Not Supported |
| Adding and removing administrative unit members in bulk by using CSV files | Not Supported |
Supported | No Plans to Support |
| Assigning administrative unit-scoped administrators | Supported | Supported | Not Supported |
| Adding and removing administrative unit members dynamically based on attributes | Not Supported |
Not Supported |
Not Supported |
Users are assigned roles to manage the administrative unit once it is created. Permissions and methods to administrate users and groups include:
| Permissions | Graph PowerShell |
Azure Portal | Microsoft 365 Admin Portal |
| Administrative unit-scoped management of user properties, passwords, and licenses | Supported | Supported | Supported |
| Administrative unit-scoped blocking and unblocking of user sign-ins | Supported | Supported | Supported |
| Administrative unit-scoped management of user multifactor authentication credentials | Supported | Supported | Not Supported |
Users and groups can exist in, and are managed from, the same administrative unit. As stated earlier, the scope of management does not extend to the users in the group. Users are added to the administrative unit individually or by a bulk operation. The permissions available for groups include:
| Permissions | Graph PowerShell |
Azure Portal | Microsoft 365 Admin Portal |
| Administrative unit-scoped management of group properties and members | Supported | Supported | Not Supported |
| Administrative unit-scoped management of group licensing | Supported | Supported | Not Supported |
The options available to manage the properties of users and groups are different depending on where they are sourced. A user or group sourced from Windows AD and replicated to Azure AD with Azure AD Connect has less manageable properties than a user or group sourced from Azure AD.
Administrative units and privileged identity management
Azure administrative units are integrated with privileged identity management (PIM). This reinforces the principle of least privilege with just-in-time administrative access to an administrative unit. Azure PIM allows for the management, control, and monitoring of elevated access to Azure AD resources, including administrative units.
Azure administrative units and PIM are both Azure AD Premium features. An Azure AD Premium license is required for administrative access to administrative units. Users managed by administrative units do not need an Azure AD Premium license. Administrative unit members only require the Azure AD free license to be managed.
Create an administrative unit
The steps below create an administrative unit, add an administrator, and add users to the administrative unit.
Create an administrative unit by logging in as a Global Admin or Privileged Identity Admin, and go to Azure AD in the Azure Portal. Next, go to Administrative units under Manage.
Administrative units in Azure AD
Click Add at the top of the Administrative Unit portal to start the Administrative Unit wizard. Enter a name and an optional description.
Administrative unit properties
To assign a role to manage the administrative unit, go on to Assign roles. Select a role to assign an administrative unit administrator. This example uses the User Administrator role.
Assign roles
Search for and select a user to assign the role. Click Add to create the assignment.
Add assignments
Go to Review + create to add the administrative unit and the role assignment. Click Create to finish the administrative unit.
Add administrative unit
Add a role assignment
Adding a user assignment when creating an administrative unit gives the user an active assignment. It is possible to make a user eligible by going into the administrative unit, then to Roles and administrators, and selecting a role.
Add eligible assignment
The Assignments page displays the option to view and add active or eligible assignments. Eligible assignments enable the user to elevate their account when needed, with the option to restrict the length of time the user is eligible for elevated privileges.
Eligible and active assignments
Add members to the administrative unit
Once the administrative unit is created and roles are assigned, the next step is to add users or groups to manage. Add users by going to Users or Groups from within the administrative unit.
Users and groups
Users and groups
Click Add from the Users or Groups page to search for and add a user or group.
Add user or group
Individually adding users works for a small number of users or groups, but most organizations need a more robust method for adding or removing users. That's what the Bulk Operations option is for.
Bulk operations
It is possible to add or remove users by a CSV file and download a list of current users in the administrative unit. Selecting Bulk add members displays three steps to help with the process. It provides a template with the headers needed in the CSV for the bulk add process. Below is an example of a template with three users added.
Bulk add template
Note that both the version number and the "userUpn" header are required for CSV file bulk operations.
Once finished modifying the CSV, upload it to add the users to the administrative unit.
Subscribe to 4sysops newsletter!
Conclusion
Administrative units address a common complaint with Azure AD. They provide a method to delegate administration using role-based access control to a subset of Azure AD users or groups. How you group those users will depend on your environment. While some organizations will find geographical boundaries suitable for administrative units, others may find departments or business units to be more suitable. For other organizations, a combination would work best. However, they are deployed, administrative units provide a way of maintaining the principle of least privilege.
A question on this.
The Administrative unit will restrict 'edit' access to the rest of AzureAD but it does not stop a priveledged role from seeing and opening objects outside the their Administrative unit from what I can tell.
Is there a way to restrict a user admin of an administrative unit to only see objects in that unit and not the whole of AzureAD?
Thanks
I don’t believe there is a way to prevent an account from viewing options in the directory.
Thanks Travis. I wish they would go one more step and stop that. They (MS) must have a good reason for not doing that already. I just can't think what it might be. It certainly goes against least privilege.