Tutorial / Cram Notes

Delegating administration in Azure Active Directory (Azure AD) through the use of administrative units is an effective approach to limit the scope of administrative tasks to specific departments, regions, or any logical part of an organization. Administrative units (AUs) can help organizations with large or complex environments to provide a more granular level of control and empower specific administrators to manage resources without granting them broad access across the entire directory.

Understanding Administrative Units

Administrative units are entities within Azure AD that provide a way to partition the directory so that administrative privileges can be delegated for the users, groups, and devices within them. This is particularly useful for multi-divisional organizations that require certain administrators to have control over only a subset of users and resources.

How to Configure Delegation with Administrative Units

Step 1: Create an Administrative Unit

The first step in configuring delegation for an administrative unit is to create the AU itself. This can be done via the Azure AD admin center or through PowerShell commands.

  1. Go to the Azure AD admin center.
  2. Navigate to Azure Active Directory > Administrative units.
  3. Select New administrative unit.
  4. Provide a name and description for the new administrative unit.
  5. Optionally, add members or other attributes.
  6. Select Create to finalize the creation of the administrative unit.

Step 2: Assign Roles to the Administrative Unit

Once the AU is created, you can assign roles to users or groups specifically within the context of that AU.

  1. Select the created administrative unit.
  2. Click on Roles and administrators.
  3. Choose Add role assignment.
  4. Pick the role you want to delegate, such as User Administrator or Groups Administrator.
  5. Select the members who will receive the role within the AU and confirm.

Step 3: Add Members to the Administrative Unit

Administrative units need members to manage; hence you should add users, groups, or devices that the administrative roles will apply to.

  1. Go back to the AU you created.
  2. Select Users, Groups, or Devices (available depending on the Azure AD plan).
  3. Click on Add and choose the users, groups, or devices to include in this AU.
  4. Confirm by adding the selected objects to the AU.

Managing Administrative Units

  • List all AUs in your organization.
  • View the roles assigned within each AU.
  • Edit or delete an administrative unit.
  • Move users, groups, or devices in and out of administrative units.

Best Practices and Considerations for Delegation

  1. Least Privilege Principle: Only grant the amount of access that users need to perform their jobs.
  2. Role Assignment Reviews: Periodically review role assignments and AUs to ensure they are still relevant and adequately secured.
  3. Logging and Auditing: Utilize Azure AD’s logs to audit changes within administrative units, ensuring accountability.
  4. Role Customization: Use Azure AD custom roles where applicable to tailor permissions to the exact needs of your environment.

Example Scenario

Consider an organization with multiple geographic locations, each requiring its own regional admin. An AU can be created for each region — say, “North America” and “Europe.”

  • Create the AUs: “North America” and “Europe”.
  • Assign Roles: Delegate User Administrator roles within each AU to respective regional admins.
  • Add Members: Add users from each region to their respective AU.

This configuration enables regional admins to manage user-related tasks for their region only, thus maintaining organization-wide administrative separation.

Summary

By configuring delegation via administrative units, organizations can achieve a more refined access management structure, directly aligning with governance policies and operational needs. Administrative units simplify management tasks, ensure security through the least-privileged methodology, and provide a manageable way to delegate roles and administrate segments of an Azure AD tenant.

Being a topic of interest in the SC-300 Microsoft Identity and Access Administrator exam, it is vital for candidates to understand the process of creating, managing, and leveraging administrative units for delegation and to know how to apply this knowledge in real-world scenarios.

Practice Test with Explanation

T/F: Administrative units can only contain users and cannot contain groups.

  • False

Administrative units can contain both users and groups, which allows for delegation of administrative tasks within a limited scope.

T/F: Permissions assigned through administrative units are only applicable within the specific administrative unit.

  • True

Administrative roles or permissions assigned through administrative units only allow the assigned administrators to manage users and groups within that particular administrative unit.

Which role is required to create administrative units?

  • A) Global Administrator
  • B) User Administrator
  • C) Privileged Role Administrator
  • D) All of the above

Answer: D) All of the above

Global Administrators, User Administrators, and Privileged Role Administrators can all create administrative units.

How can roles be assigned within an administrative unit?

  • A) Through Azure Active Directory
  • B) Only via PowerShell
  • C) Through Microsoft 365 admin center
  • D) A and C

Answer: D) A and C

Roles can be assigned within an administrative unit through both Azure Active Directory in the Azure portal and the Microsoft 365 admin center.

T/F: Administrative units support nested membership.

  • False

Administrative units do not support nested memberships, meaning that an administrative unit cannot contain other administrative units.

T/F: Once an administrative unit is created, you cannot change its name.

  • False

You can change the name of an administrative unit after it’s created by using the Azure portal or PowerShell.

Which PowerShell cmdlet is used to add a user to an administrative unit?

  • A) Add-AzureADUser
  • B) Add-AzureADAdministrativeUnitMember
  • C) Set-AzureADUser
  • D) New-AzureADUser

Answer: B) Add-AzureADAdministrativeUnitMember

The Add-AzureADAdministrativeUnitMember cmdlet is used to add a user to an administrative unit membership.

What can be managed by a user that has been granted administrative rights over an administrative unit?

  • A) The entire Azure Active Directory
  • B) Only the objects within the administrative unit
  • C) Objects in any administrative unit in the directory
  • D) Management of other administrative units

Answer: B) Only the objects within the administrative unit

A user granted administrative rights over an administrative unit can only manage the users and groups within that particular unit.

T/F: An administrative unit can be used to delegate permissions across multiple Azure Active Directory tenants.

  • False

Administrative units are scoped to a single Azure Active Directory tenant and cannot be used to delegate permissions across multiple tenants.

What types of roles can be delegated within an administrative unit?

  • A) Built-in roles only
  • B) Custom roles only
  • C) Both built-in and custom roles
  • D) No roles can be delegated within an administrative unit

Answer: C) Both built-in and custom roles

Both built-in and custom roles can be delegated within an administrative unit.

T/F: License assignments can be delegated to an administrative unit administrator.

  • True

An administrative unit administrator can be given roles that allow them to manage license assignments for users within the administrative unit.

Which of the following statements is true regarding the deletion of administrative units?

  • A) Administrative units can be deleted at any time without affecting its members.
  • B) Deleting an administrative unit automatically deletes all its members.
  • C) The administrative unit must be empty before it can be deleted.
  • D) Administrative units cannot be deleted.

Answer: A) Administrative units can be deleted at any time without affecting its members.

Deleting an administrative unit does not delete its members; users and groups simply lose the scope of management that was provided by the administrative unit.

Interview Questions

What is an administrative unit in Azure Active Directory (Azure AD)?

An administrative unit is a container that can be used to delegate administrative tasks to specific groups or users within an organization. Each administrative unit can have its own set of administrative roles and permissions.

How can you create an administrative unit in Azure AD?

To create an administrative unit in Azure AD, you can navigate to the “Administrative units” blade in the Azure portal, click on the “Add” button, and provide a name and description for the new administrative unit.

How can you add members to an administrative unit in Azure AD?

To add members to an administrative unit in Azure AD, you can navigate to the “Administrative units” blade, select the administrative unit you want to modify, click on the “Members” tab, and then click on “Add members” to select the users or groups you want to add.

How can you configure administrative roles and permissions for an administrative unit in Azure AD?

To configure administrative roles and permissions for an administrative unit in Azure AD, you can navigate to the “Administrative units” blade, select the administrative unit you want to modify, click on the “Roles” tab, and then click on “Add assignment” to select the administrative role you want to assign.

What are some common administrative roles in Azure AD, and what permissions do they provide?

Some common administrative roles in Azure AD include Global administrator, User administrator, Group administrator, and Application administrator. The Global administrator role provides full access to all administrative features in Azure AD, while the User administrator role allows users to manage user accounts and Group administrator role allows users to manage groups.

How can you remove members from an administrative unit in Azure AD?

To remove members from an administrative unit in Azure AD, you can navigate to the “Administrative units” blade, select the administrative unit you want to modify, click on the “Members” tab, and then select the user or group you want to remove and click on “Remove.”

How can you remove an administrative role assignment from an administrative unit in Azure AD?

To remove an administrative role assignment from an administrative unit in Azure AD, you can navigate to the “Administrative units” blade, select the administrative unit you want to modify, click on the “Roles” tab, and then select the role assignment you want to remove and click on “Remove assignment.”

How can you view the administrative units that exist in Azure AD?

To view the administrative units that exist in Azure AD, you can navigate to the “Administrative units” blade in the Azure portal.

Can you nest administrative units within other administrative units in Azure AD?

Yes, it is possible to nest administrative units within other administrative units in Azure AD.

How can you audit administrative unit changes in Azure AD?

To audit administrative unit changes in Azure AD, you can use the Azure AD audit logs, which provide detailed information about changes to administrative units and role assignments.

0 0 votes
Article Rating
Subscribe
Notify of
guest
19 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Cecil Steward
1 year ago

How exactly do Administrative Units help in delegating permissions?

Naomi Gauthier
10 months ago

Is there a limit to the number of Administrative Units I can create?

Arlene Sanders
1 year ago

Can I nest Administrative Units within each other?

Johann Haberland
1 year ago

Thanks for the post!

Agathe David
1 year ago

Can administrators outside of an Administrative Unit view or manage that AU?

Dolores Leroy
8 months ago

What types of roles can be assigned within an Administrative Unit?

Şüheda Verschuren

I encountered an error while creating an AU, any solutions?

Orhip Otkovich
9 months ago

Can AUs be used to segregate administrative tasks in a hybrid environment?

19
0
Would love your thoughts, please comment.x
()
x