Tutorial / Cram Notes
An administrative unit (AU) is a container that helps organizations scope administrative permissions to a subset of users. This is useful for large organizations with multiple departments, offices, or different geographical locations, as it allows them to delegate administration tasks while maintaining control over what administrators can do within their scope.
Creating and Managing Administrative Units
To create an administrative unit, an Azure AD Premium P1 or P2 license is required. Here are the steps to create an AU:
- Sign in to the Azure portal.
- Navigate to Azure Active Directory > Administrative Units.
- Select the “New administrative unit” option.
- Provide a name and description for the administrative unit.
- Click “Create” to create the administrative unit.
Once an administrative unit has been created, the next step is adding members and assigning roles:
- Add Members: Select your administrative unit and go to “Members” to add users or groups to the AU.
- Assign Roles: In the administrative unit, select “Roles and administrators” to assign specific roles to users or groups within the AU.
Administrative roles can be scoped to an AU, such that an administrator will only manage a subset of users and resources.
Roles That Can Be Assigned to Administrative Units
Azure Active Directory offers a variety of roles that can be scoped to administrative units. Here is a comparison:
| Role | Description | Scope |
|---|---|---|
| User Administrator | Manages identity features like users and groups | Can be scoped to AU |
| Helpdesk Administrator | Manages user passwords and support tickets | Can be scoped to AU |
| Groups Administrator | Manages group properties and memberships | Can be scoped to AU |
| Application Administrator | Manages application registrations and attributes | Can be scoped to AU |
Using PowerShell to Manage Administrative Units
Azure PowerShell can also be used to manage administrative units. Administrators can automate the creation, editing, and deletion of AUs along with managing members and roles.
Example commands:
- Create an AU:
New-AzureADAdministrativeUnit -DisplayName “UnitName” -Description “UnitDescription” - Add a member to an AU:
Add-AzureADAdministrativeUnitMember -ObjectId “AUObjectId” -RefObjectId “UserObjectId”
Best Practices for Managing Administrative Units
- Limit Scope: Only give administrative permissions over the subset of users that the admin needs to manage.
- Review Regularly: Conduct regular audits of administrative units, memberships, and role assignments.
- Least Privilege Access: Assign the least privilege necessary for users to perform their duties.
Benefits of Using Administrative Units
Using administrative units offers several advantages:
- Delegated Administration: Administrative workloads can be divided among more staff, reducing the risk of errors and overprivileged accounts.
- Organizational Structure: Reflects an organization’s internal structure within the Azure management model.
- Enhanced Security: Limits the scope of what administrators can manage, reducing the impact of potential security breaches.
Conclusion
Understanding and managing administrative units is an essential skill for Azure security and a competency area in the AZ-500 Microsoft Azure Security Technologies exam. By effectively managing administrative units, organizations can ensure that administration is delegated securely, aligning with the principles of least-privilege access and role-based administration. AUs help maintain order and clarity in large organizations, enabling granular control over resources and user management in Azure Active Directory.
Practice Test with Explanation
True or False: Administrative units in Azure AD can only be managed using Azure Portal.
- True
- False
Answer: False
Explanation: Administrative units can be managed using the Azure Portal, but they can also be managed via PowerShell and Azure AD Graph API.
Which Azure role is specifically required to manage members within an administrative unit?
- Global Administrator
- User Administrator
- Administrative Unit Administrator
- Security Administrator
Answer: Administrative Unit Administrator
Explanation: An Administrative Unit Administrator role is specifically designated for managing members within an administrative unit.
True or False: Administrative units can contain users from multiple Azure AD organizations.
- True
- False
Answer: False
Explanation: Administrative units are scoped to a single Azure AD organization and cannot contain users from multiple organizations.
Which of these scopes can administrative units be used to manage?
- Users
- Groups
- Roles
- All of the above
Answer: All of the above
Explanation: Administrative units can be used to manage users, groups, and roles within the defined scope of the administrative unit.
True or False: Administrative units in Azure AD allow for a delegation of administrative tasks to different users without granting them full administrative rights.
- True
- False
Answer: True
Explanation: Administrative units allow for a more granular delegation of administrative tasks to users without needing to grant them full administrative rights.
How can an administrative unit member manage access to resources within the unit?
- By changing the global access settings
- By assigning roles to other members within the administrative unit
- Through direct modification of resource policy configuration
- Members cannot manage access to resources within the unit
Answer: By assigning roles to other members within the administrative unit
Explanation: Members of an administrative unit can manage access to resources by assigning roles to other members within the scope of the administrative unit.
Can a user assigned to an administrative unit add members to that administrative unit?
- Yes, if they have the Administrative Unit Administrator role
- Yes, if they are a Global Administrator
- No, only a user with the Privileged Role Administrator role can add members
- No, members of an administrative unit cannot add other members regardless of their role
Answer: Yes, if they have the Administrative Unit Administrator role
Explanation: A user with the Administrative Unit Administrator role can add members to that administrative unit.
True or False: Users can be a part of multiple administrative units at the same time.
- True
- False
Answer: True
Explanation: Users can be members of multiple administrative units simultaneously, allowing for flexible administrative control.
Which PowerShell cmdlet is used to create a new administrative unit in Azure AD?
- New-AzureADUser
- New-AzureADAdministrativeUnit
- Add-AzureADAdministrativeUnitMember
- Set-AzureADUser
Answer: New-AzureADAdministrativeUnit
Explanation: The cmdlet New-AzureADAdministrativeUnit is used to create a new administrative unit in Azure AD.
True or False: Administrative units in Azure AD can only be used to manage user and group objects, not devices.
- True
- False
Answer: True
Explanation: As of the knowledge cutoff date, administrative units primarily focus on the management of user and group objects, but do not extend to the management of device objects within Azure AD.
What is the maximum number of administrative units you can create in a single Azure AD organization?
- 10
- 50
- 100
- There is no limit
Answer: There is no limit
Explanation: As of the knowledge cutoff date, there is no specified limit to the number of administrative units that can be created in a single Azure AD organization.
True or False: Administrative units can be nested within other administrative units.
- True
- False
Answer: False
Explanation: Administrative units do not support nesting. An administrative unit cannot contain another administrative unit within its structure.
Interview Questions
What are administrative units in Azure AD?
Administrative units in Azure AD are a way to organize resources and manage access to those resources. With administrative units, you can delegate administrative control to specific groups of users, allowing them to manage only the resources that are relevant to their roles in the organization.
What types of resources can be associated with an administrative unit in Azure AD?
You can associate various types of resources with an administrative unit in Azure AD, including users, groups, applications, and devices.
How do you create an administrative unit in Azure AD?
To create an administrative unit in Azure AD, you need to log in to the Azure portal, select Azure Active Directory, and then select “Administrative units.” From there, you can create a new administrative unit, provide a name, select the resource type you want to associate with it, and assign users or groups to the administrative unit.
What is the purpose of assigning permissions to an administrative unit in Azure AD?
Assigning permissions to an administrative unit in Azure AD allows you to give users or groups access to resources. By assigning permissions, you can control what users can and cannot do within the administrative unit.
How do you add or remove members from an administrative unit in Azure AD?
To add or remove members from an administrative unit in Azure AD, you need to go to the unit’s settings in the Azure portal and select “Members.” From there, you can add or remove members as needed.
What is a nested administrative unit in Azure AD?
A nested administrative unit in Azure AD is an administrative unit that is created within another administrative unit. This allows you to create a hierarchical structure that mirrors the organization’s structure.
How do you move resources, such as users or groups, from one administrative unit to another in Azure AD?
To move resources from one administrative unit to another in Azure AD, you need to go to the resource’s settings in the Azure portal and select “Administrative unit.” From there, you can select the new administrative unit to which you want to move the resource.
What are some common use cases for using administrative units in Azure AD?
Common use cases for using administrative units in Azure AD include delegating administrative control to specific groups of users, simplifying access management, and ensuring compliance with security and privacy regulations.
How do you assign administrative permissions to an administrative unit in Azure AD?
To assign administrative permissions to an administrative unit in Azure AD, you need to go to the unit’s settings in the Azure portal and select “Administrative permissions.” From there, you can assign permissions to users or groups as needed.
How do you monitor administrative activity in Azure AD?
You can monitor administrative activity in Azure AD using the audit logs, which provide information about changes made to administrative units and other resources. The audit logs can be accessed from the Azure portal.
Does anyone have experience managing administrative units in Azure AD for an enterprise setup?
Can someone explain the limitations of using administrative units?
I found enabling the roles within administrative units quite confusing initially. Any resources or tips?
Can administrative units help in managing user access for a multinational organization?
Thanks for the comprehensive post!
Has anyone incorporated administrative units with Azure PIM (Privileged Identity Management)?
Appreciate the post for exam AZ-500!
Does using administrative units impact Azure AD Connect sync configurations?