Tutorial / Cram Notes
An administrative unit (AU) in Azure AD is a container that can hold users, groups, and other AUs. You can delegate administrative responsibilities by assigning roles at the AU level, thus confining the permissions to that specific unit. For example, a departmental IT admin can be given control over user accounts within their department’s AU without extending that control to the entire Azure directory.
Creating Administrative Units
Here’s how to create an administrative unit:
- Sign in to the Azure portal as a Global Administrator or Privileged Role Administrator.
- Navigate to Azure Active Directory > Administrative units.
- Select “New administrative unit”.
- Provide a name and an optional description for the administrative unit.
- Review the information and click “Create”.
Once an AU is created, you can start adding members or other groups to that unit.
Adding Members to an Administrative Unit
To add members such as users or groups to an AU, follow these steps:
- Navigate to the specific administrative unit in the Azure portal.
- In the administrative unit’s blade, select “Members” or “Groups”.
- Click on “Add members” or “Add groups” respectively.
- Search for and select the users or groups you wish to add.
- Click “Select” to add them to the administrative unit.
Assigning Roles to Administrative Units
Role assignment in AUs is what enables administrators to manage specific tasks within their domain of responsibility:
- Within the AU, select “Roles and administrators”.
- Choose the role you want to assign, such as “User Administrator” or “Groups Administrator”.
- Click “Add assignments”.
- Search for the user you want to assign to the role.
- Select the user and click “Add”.
Examples of Role Assignments in Administrative Units
| Role | Permission Level | Example Use Case |
|---|---|---|
| User Administrator | Manage users and reset passwords | Department IT support |
| Groups Administrator | Manage group memberships and settings | Project team leaders |
| Application Administrator | Manage application registrations | Central IT application support team |
| Global Reader | Read-only access across the directory | Auditors or compliance officers |
By tailoring these role assignments, organizations can provide necessary administrative access to support structure without compromising broader security or administrative control.
Limitations and Considerations
- Administrative units are a premium feature which requires Azure AD Premium P1 or P2.
- AUs do not currently support all types of administrative roles.
- Administrative units’ scopes are limited to certain types of objects and tasks within Azure AD.
- The maximum number of AUs you can create, and the number of members you can add to them might be subject to certain limitations.
Conclusion
Administrative units enable organizations to delegate administrative tasks with a level of precision suitable to their structural complexity. By allowing role assignments within a confined scope, AUs can help maintain a secure and orderly Azure environment, ensuring that administrative access is distributed appropriately without unnecessary elevation of permissions. This contributes towards a minimized risk footprint and adherence to the principle of least privilege in access management.
Practice Test with Explanation
True or False: Administrative Units (AUs) in Azure allow for the management of users only, not resources like VMs or storage accounts.
- True
Administrative Units are designed primarily to delegate administrative tasks on users, groups, and devices, not Azure resources like VMs or storage accounts.
Which of the following Azure roles can create Administrative Units?
- A) Global Administrator
- B) User Administrator
- C) Azure Support Request Contributor
- D) Security Reader
Answer: A
Global Administrators have the necessary permissions to create Administrative Units in Azure.
True or False: Once created, the name of an Administrative Unit can be changed at any time.
- True
Azure allows the name of an Administrative Unit to be changed after its creation through the Azure portal, PowerShell, or the Azure AD Graph API.
Which Azure AD roles can be scoped to Administrative Units?
- A) Global Administrator
- B) User Administrator
- C) Application Administrator
- D) All of the above
Answer: D
Various Azure AD roles, including but not limited to the ones listed, can be scoped to Administrative Units.
True or False: Administrative Units can be nested within one another, just like Organizational Units in Active Directory.
- False
Administrative Units in Azure AD cannot be nested within each other unlike Organizational Units in Active Directory.
How many Administrative Units can be created in a single Azure AD organization?
- A) 10
- B) 30
- C) 50
- D) 500
Answer: D
As of the knowledge cutoff date, an Azure AD organization can have up to 500 Administrative Units.
True or False: You can assign the same role to a user in multiple Administrative Units.
- True
A user can be assigned the same role in multiple Administrative Units, allowing for granular access control across different units.
What is required to access the Administrative Units feature in Azure AD?
- A) Azure AD Free license
- B) Azure AD Premium P1 or P2 license
- C) Office 365 subscription
- D) Microsoft 365 E3 or E5 license
Answer: B
The Administrative Units feature requires an Azure AD Premium P1 or P2 license.
True or False: Global reader role can view Administrative Units but cannot manage them.
- True
The Global reader role has view-only permissions and can see Administrative Units but is not able to manage them.
Which of the following actions can be scoped within an Administrative Unit?
- A) Managing resource groups
- B) Resetting passwords for users
- C) Deploying Azure VMs
- D) Assigning roles to Azure resources
Answer: B
Administrative Units scope administrative tasks, such as resetting passwords for users, rather than managing Azure resources or roles on resources.
True or False: Custom roles can be created and scoped to an Administrative Unit.
- False
As of the knowledge cutoff date, only built-in roles can be scoped to Administrative Units. Custom roles are not supported.
Which of the following is a use case for Administrative Units?
- A) Consolidating billing for multiple subscriptions
- B) Delegating permissions to manage users in specific departments
- C) Implementing resource locks at the subscription level
- D) Enabling multi-factor authentication for all users
Answer: B
A common use case for Administrative Units is to delegate permissions to manage users and groups within specific departments or geographic regions.
Interview Questions
What are administrative units in Azure Active Directory?
Administrative units (AUs) in Azure AD are used to organize and delegate administrative tasks to specific groups of administrators. AUs allow you to control access to specific groups of users, devices, or applications within your organization.
How can you create an administrative unit in Azure AD?
To create an administrative unit in Azure AD, you can navigate to the “Azure Active Directory” section in the Azure portal, select “Administrative units”, and then click on “+ New”. You can then enter a name and description for the administrative unit, and add members and roles as needed.
What is the purpose of creating administrative units in Azure AD?
The purpose of creating administrative units in Azure AD is to provide better organization and control over Azure AD resources, and to efficiently delegate administrative tasks to specific groups of administrators.
Can you assign custom roles to members of an administrative unit in Azure AD?
Yes, you can assign custom roles to members of an administrative unit in Azure AD. Azure AD has built-in roles that you can use, or you can create custom roles as needed.
How can you manage the members of an administrative unit in Azure AD?
You can manage the members of an administrative unit in Azure AD by navigating to the “Members” tab of the administrative unit, and then adding or removing members as needed.
Can you assign more than one role to a member of an administrative unit in Azure AD?
Yes, you can assign more than one role to a member of an administrative unit in Azure AD, depending on the specific permissions and tasks required.
What types of resources can you control access to using administrative units in Azure AD?
You can control access to specific groups of users, devices, or applications within your organization using administrative units in Azure AD.
How can you assign an administrative unit to an Azure AD application?
To assign an administrative unit to an Azure AD application, you can navigate to the “Applications” section of the Azure AD portal, select the application you want to assign the administrative unit to, and then select the “Administrative units” option. From there, you can assign the administrative unit to the application.
How can you delete an administrative unit in Azure AD?
To delete an administrative unit in Azure AD, you can navigate to the “Administrative units” section of the Azure AD portal, select the administrative unit you want to delete, and then click on the “Delete” button. You will be prompted to confirm the deletion before the administrative unit is deleted.
Can you create a nested administrative unit in Azure AD?
Yes, you can create a nested administrative unit in Azure AD to further organize and delegate administrative tasks.
How can you view the members of an administrative unit in Azure AD?
You can view the members of an administrative unit in Azure AD by navigating to the “Members” tab of the administrative unit in the Azure AD portal.
Can you assign roles to an entire administrative unit in Azure AD?
Yes, you can assign roles to an entire administrative unit in Azure AD by navigating to the “Roles” tab of the administrative unit and then selecting the roles you want to assign.
How can you assign an administrative unit to a group in Azure AD?
To assign an administrative unit to a group in Azure AD, you can navigate to the “Groups” section of the Azure AD portal, select the group you want to assign the administrative unit to, and then select the “Administrative units” option. From there, you can assign the administrative unit to the group.
Creating administrative units in Azure AD is a great way to delegate administrative tasks without giving too much power.
How do administrative units differ from resource groups in Azure?
Thanks for this detailed post on administrative units!
Can we link an administrative unit directly to a subscription?
I prefer using resource groups over administrative units. They seem more flexible to me.
Great insights on administrative units, very helpful!
Is there a way to automate the assignment of users to administrative units?
I had trouble applying policies using administrative units. They seem complex.