Managing Administrative Units in Microsoft Azure Security Technologies is a crucial topic you’ll need to understand to successfully tackle the AZ-500 examination and effectively implement and manage identity and access in Azure. Administrative units are essentially containers of common Azure Active Directory (Azure AD) resources that make administration tasks easier and more strategic.
Understanding Administrative Units
Administrative Units (AUs), first introduced in 2019, are collections that let administrators delegate permissions with a refined scope, helping to create subsets of users and groups in Azure AD. In a larger organization where tasks and responsibilities are segmented, AUs come in very handy as they enable more precise management.
Creating & Managing Administrative Units
Creating an administrative unit is a straightforward process. Given below is a detailed PowerShell script to easily create an AD:
Import-Module AzureAD
# Set admin credentials
$adminUsername = "admin@yourdomain.onmicrosoft.com"
$adminPassword = ConvertTo-SecureString -String "password" -AsPlainText -Force
$adminCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $adminUsername, $adminPassword
# Connect to Azure AD
Connect-AzureAD -Credential $adminCredential
# Create new administrative unit
New-AzureADMSAdministrativeUnit -Description "Description of new administrative unit" -DisplayName "New Administrative Unit"
The script begins by importing the AzureAD module, which is necessary to work with Azure AD within PowerShell. Then, it defines the admin credentials and uses them to establish a connection to Azure AD. Finally, it creates a new administrative unit with a provided description and display name.
Administrative units can be managed using Azure portal, PowerShell or Microsoft Graph API. In the portal, you can find them under ‘Azure Active Directory’ > ‘Groups’ > ‘Administrative units’. From here, you can add a group or user to an administrative unit, delegate unit membership, or delete an administrative unit.
Benefits of using Administrative Units
Here are some potential benefits of using AUs:
Benefit | Description |
---|---|
Delegation | AUs enable organizations to delegate admin roles. For example, the User Account Administrator role could be assigned to a user that only impacts members of specified AUs. |
Organization | Rather than managing users and groups individually, AUs provide a set structure for categorizing these resources. |
Improved Security | By segmenting users and groups into specified AUs, organizations supplement their security management processes as it reduces the risk of access and permissions mismanagement. |
In conclusion, understanding how to manage administrative units in Azure AD is necessary for anyone preparing for the AZ-500 examination. AUs provide several important benefits that can help improve delegation, organization, and security management within an organization’s Azure environment. Understanding how to create and manage these units through Azure portal, PowerShell, or the Microsoft Graph API is invaluable knowledge for both the examination and practical application.
Practice Test
True or False: Administrative units in Azure Active Directory (Azure AD) can have nested units.
- False
Answer: False
Explanation: Azure AD administrative units don’t support hierarchy, which means you can’t have nested units inside other administrative units.
The Azure AD Privileged Identity Management feature can be used to manage roles within Administrative Units. True or False?
- True
Answer: True
Explanation: Azure AD Privileged Identity Management allows for role management within Administrative Units, enhancing security by requiring certain users to request access.
What is the primary purpose of administrative units in Azure?
- A. To provide a hierarchical structure to manage resources at the subscription level.
- B. To delegate administrative tasks to manage users and groups in Azure AD.
- C. To manage network security for virtual machines in Azure.
Answer: B. To delegate administrative tasks to manage users and groups in Azure AD.
Explanation: Administrative units in Azure are primarily used to delegate administrative tasks in Azure AD, particularly within larger organizations.
True or False: You need a P2 license to use and manage Administrative Units in Azure AD.
- False
Answer: False
Explanation: The use of Administrative Units in Azure AD doesn’t require a P2 license; it’s available on free, basic, premium P1 and Premium P2, but certain features may require premium.
All Azure Active Directory roles can be assigned to an administrative unit. True or False?
- False
Answer: False
Explanation: Only specific roles that support scoped assignment to administrative units, such as User Administrator and Groups Administrator, can be assigned to an administrative unit.
Azure AD Administrative units allow delegation of administrative duties without:
- A. Needing a P2 license
- B. Assigning roles at the directory level
- C. Assigning roles at the resource level
- D. Requiring privileged identity management
Answer: B. Assigning roles at the directory level
Explanation: Administrative units allow specific delegation of administrative duties to users without needing to grant them roles at a directory-wide level, enhancing security and granular control.
Multiple Roles can be assigned to a single Administrative Unit in Azure AD. True or False?
- True
Answer: True
Explanation: Multiple roles can indeed be assigned to a single Administrative Unit to secure granular access to resources.
True or False: An administrative unit can only contain users and groups.
- True
Answer: True
Explanation: The Azure AD administrative units can only contain users and groups. They do not contain other objects such as applications, devices, etc.
If a user is in multiple administrative units, where will their settings be applied from?
- A. The first administrative unit they were added to
- B. The last administrative unit they were added to
- C. All the administrative units they are part of
Answer: C. All the administrative units they are part of
Explanation: If a user belongs to multiple administrative units, the settings from all of the units will be applied to the user.
True or False: You can transfer ownership of an administrative unit in Azure AD?
- True
Answer: True
Explanation: Ownership of an administrative unit can indeed be transferred in Azure AD. An owner can manage members and settings of the administrative unit.
Interview Questions
What is an administrative unit in Azure Active Directory?
Administrative units in Azure Active Directory are a container of resources that assist in delegating administrative permissions. They provide a level of scope above a single resource but below the level of the entire directory.
How do administrative units help in managing Azure AD resources?
By groupings resources into administrative units, organizations can delegate administrative privileges at a level that is below the entire directory. This can assist in breaking down management tasks and limiting permissions where necessary.
How do you create an administrative unit in Azure Active Directory?
An administrative unit can be created in Azure Active Directory by navigating to the Administrative units page in the Azure portal and clicking on New administrative unit. You’ll need to enter a name for the unit, and then select Create.
What permissions do you require to manage Azure AD administrative units?
To manage Azure AD administrative units, you require the Global administrator or Privileged role administrator roles.
Can you add users to an administrative unit in Azure AD?
Yes, you can add users to an administrative unit in Azure AD. This can be done by navigating to the administrative unit in the Azure portal and adding the users.
What roles can you delegate to another admin within an administrative unit in Azure AD?
You can delegate User administrator, Helpdesk administrator, and Password administrator roles within an administrative unit in Azure AD.
How do you delegate roles in an Azure AD administrative unit?
To delegate roles in an Azure AD administrative unit, navigate to the unit in the Azure portal, select Roles and administrators, and then Add assignments.
Can you add groups to an administrative unit in Azure AD?
As of today, it’s not possible to add groups to an administrative unit in Azure AD. You can only add users and devices.
Can you create nested administrative units in Azure AD?
No, you cannot create nested administrative units in Azure AD. An administrative unit can contain only users and devices, but not other administrative units.
Can you create an administrative unit via Azure AD PowerShell?
Yes, you can create an administrative unit via Azure AD PowerShell by using the New-AzureADMSAdministrativeUnit command.
How do you add users to an administrative unit via Azure AD PowerShell?
You can add users to an administrative unit via Azure AD PowerShell by using the Add-AzureADAdministrativeUnitMember command.
Can you delete an administrative unit in Azure AD?
Yes, you can delete an administrative unit from Azure AD. However, note that the deletion is permanent and cannot be undone.
How do you delete an administrative unit in Azure AD?
You can delete an administrative unit in Azure AD from the Azure portal by navigating to the unit and selecting Delete. You can also delete it via Azure AD PowerShell by using the Remove-AzureADMSAdministrativeUnit command.
Can you restore a deleted administrative unit in Azure AD?
No, you cannot restore a deleted administrative unit in Azure AD. Once an administrative unit is deleted, it is permanent and cannot be undone.
How many administrative units can you create in a single Azure AD tenant?
There is no limit to the number of administrative units you can create in a single Azure AD tenant. However, note that each administrative unit can have a maximum of 5,000 members.