Azure AD – Protect your directory better by using Administrative Units (Preview)

Martin Wüthrich Azure AD, Office365

The Azure AD administrative units are in Preview since a while, but lastly they got an update and I decided to check the opportunities that it might gives. Right from the bat, this feature has still a lot of possible improvement, I list those which would affect me the most at the end of the blog. But beside this, there are some neat use cases where I would configure Administrative Units.

Protect service accounts
Since the user administrator role can reset nearly every users password within the Azure AD (exceptions are Global Admin role members and more, see Azure AD User Administrator; thanks to nicola for the correction), it is very unlikely that you want to have a lot of administrators having that role. With Azure AD administrative units, you can add add regular users to a administrative unit. On this administrative unit you then can safely assign the User Administrator role to a technician, without giving the opportunity to gain access to an account with higher permissions. The following roles can be assigned within an administrative unit:

You can add a user to multiple administrative units, which allows to create a well designed delegation model for users and groups in Azure Active Directory.

Region based administration
Assuming you are a company which operates around the world, you might want to restrict administrative access for IT technicians to their corresponding region. With Azure AD administrative units you can exactly do that. As outlined above, a user can be member of multiple Administrative units. For example, you have three regions (America, Europe and Asia) and a central IT organization. You might want to allow the following:

  • Admin from region America can modify accounts and groups from the America region
  • Admin from region Europe can modify accounts and groups from the Europe region
  • Admin from region Asia can modify accounts and groups from the Asia region
  • Admin from central IT can modify all accounts and groups

To achieve this, you simply need to create 4 different administrative units, and adding the region accounts to their corresponding administrative unit, and also add all users to the central IT unit. Then you only need to add your admin accounts to the roles of the administrative unit.
And if you have to handle such a huge amount of accounts, you might not be able to add the user accounts manually, but since you can not nest a group nor the members can be added dynamically, you might want to use Microsoft Graph API to modify your members.

Use Microsoft Graph API to modify members
You can use the new Microsoft Graph module (Install-Module -Name Microsoft.Graph -Scope CurrentUser) to create a new Administrative unit. On the time of writing the blog, I was not able to find information on the cmdlet “New-MgAdministrativeUnit”, thus I was not able to execute this command successfully. Instead I used Invoke-GraphRequest from the Microsoft.Graph module. See this blog from Nicola Suter how to configure your Azure AD app registration and using a certificate to authenticate: Exploring the new Microsoft Graph PowerShell Module(s)
You need to add the following permissions to your app registration, to be able to read and modify Azure AD administrative units:

  • AdministrativeUnit.Read.All
  • AdministrativeUnit.ReadWrite.All


With the following lines of code, you can the create a new administrative unit (which would also be possible through the azure portal):

$TenantID = "your tenant ID"
$ApplicationID = "your application ID from the app registration"
Connect-Graph -TenantId $TenantID -ClientId $ApplicationID -CertificateThumbprint "your cert thumbprint which you have uploaded to the app registration"
$content = @{
"displayName"= "Hosebei Asia Division"
"description"= "Hosebei Asia Division administrative unit"
"visibility"= "HiddenMembership"
} | convertto-json
Invoke-GraphRequest -URI "https://graph.microsoft.com/beta/administrativeUnits" -Method POST -Body $content

As you might ask yourself, what the visibility parameter does: An admin assigned to an Administrative unit will see only accounts within this administrative unit. Other users and groups are not visible to this user. See this blog: Managing Azure AD Administrative Units via the Graph API
Since you can also add accounts and groups to administrative units by Graph, you can automate the member assignment.

Here are my biggest issues with administrative units (I added the link to a corresponding user voice item, please vote on them):

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.