Azure Active Directory Administrative Units

Azure Active Directory Administrative Units: Azure AD Delegation of Administrative Permissions

The move to the cloud often means that we need to learn new ways to manage access to cloud based resources. The methods of delegating administrative control we are accustomed to on-premises are often no longer applicable to cloud-based resources.

AWS Builder Community Hub

Office 365 has long had built in admin roles that can be used to delegate levels of permissions to administrators. The screenshot below shows the current built in admin roles available in Office 365.

Azure AD Feature 1

Beyond these built in roles, administrators can use RBAC permissions within some of the Office 365 applications to exercise more granular control over that specific application. These roles allow you to delegate sub-admins in your Office 365 tenant for some of the workloads.

Until recently Azure AD has been closer to an all-or-nothing administrative experience. The choices for an account in Azure have been “user”, “global administrator”, or “limited administrator” very similar to the functionality available within the Office 365 portal.

In this blog post, I’m going to cover Azure Active Directory Administrative Units and everything you need to know to setup administrators limited to specific sub-sets of users within Azure AD.

What are Azure AD Administrative Units?

Azure AD Admin Units are new containers in Azure Active Directory that can be used to delegate administrative permissions to a subset of users. This feature is still in preview as of this writing, and it only works for user accounts. It seems likely that Microsoft will expand that other types of Azure resources by the time this feature goes into General Availability, or maybe sometime thereafter.

Azure AD Administrative Unites do require an Azure Premium license to manage users with this feature. The users themselves do not require a premium license to be managed.

Working with Administrative Units

Working with AAD Admin Units requires a PowerShell module to be installed to get the necessary cmdlets. To get this module, all you must do is open PowerShell and run the following cmdlet

Install-Module AzureADPreview

Azure Graphic 2

Once the module is installed, connect to your Azure AD tenant with


Once connected, the first thing I like to do is take a brief tour of the PowerShell cmdlets that are available for the features I am working with. To look at the cmdlets that come with the PowerShell module we just installed run the following.

Get-Command -Module AzureADPreview

As I write this, I get 202 cmdlets listed in that module. This module is in preview, so that will likely be updated in the future. Your results may vary.
Let’s look at the cmdlets that are specific to Azure AD Admin Units.

Get-Command *AzureADADmin*

Get-Command *AzureADDirectory*

Azure AD 4

Scoping Helpdesk admins to a sub-set of users

Let’s take the example of an organization that needs to setup Helpdesk administrators for a specific sub-set of users. Theses Helpdesk admins will be able to perform these tasks only for the users we include in the scope.
First, we want to see we have any Admin Units already setup.


Azure AD 5

There are no Admin Units setup within my tenant, so let’s create one.

New-AzureADAdministrativeUnit -Description “Portland Region” -DisplayName “Portland”

Azure AD 6

Now we create a variable to hold our new AU.

$PorAU = Get-AzureADAdministrativeUnit -Filter “displayname eq ‘Portland’”

Then we create a variable to hold the user accounts we want to add to this Admin Unit.

$PorUser = Get-AzureADUser -Filter “City eq ‘Portland’”

A quick check of those two variables shows us they are both populated and ready to go

Azure AD 7

To add the user(s) to the Admin Unit run the following.

Add-AzureADAdministrativeUnitMember -ObjectId $PorAU.ObjectId -RefObjectId $PorUser.ObjectId

Now we add an administer for this AU. I’m going to add “John Tester” as the admin.

$PorAdmin = Get-AzureADUser -Filter “UserPrincipalName eq ‘[email protected]’”

$PorUserAdminRoleMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo -Property @{ ObjectId = $PorAdmin.ObjectId}

$UAUserAdmin = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq “User Account Administrator”}

Add-AzureADScopedRoleMembership -RoleObjectId $UAUserAdmin.ObjectId -ObjectId $PorAU.ObjectId -RoleMemberInfo $PorUserAdminRoleMemberInfo

Now to verify that all worked correctly.

Get-AzureADScopedRoleMembership -ObjectId $PorAU.ObjectId | fl

Azure AD 8

John’s account is setup as a regular user in Office 365 admin portal. Now when John logs into the Office 365 portal and launches the Admin app, he can manage Ted’s account.


Azure Active Directory Administrative Units are a new feature that will give us more granular control over our administrators privileges in Azure and Office 365.

As it’s currently implemented, Azure AD Admin Units are basic. They don’t have nearly the functionality that I would like to see, but these things are always an evolution. For now, it’s good to play with this basic tool and figure out how it works. In the fairly near future, this feature should grow into a very useful tool.

The post Azure Active Directory Administrative Units appeared first on Semperis.

*** This is a Security Bloggers Network syndicated blog from Semperis authored by Nathan O'Bryan. Read the original post at: