Before delving into the creation of administrative units, it’s vital to understand their characteristics. Administrative Units:
- Can contain users, groups, and devices, allowing you to manage a set of users, groups, and devices as one.
- Allow role assignment to be confined to that administrative unit only.
- Are an element of Azure AD roles that can be scoped to an administrative unit.
Creating Administrative Units
Creating Administrative Units in Azure is a straightforward process. To create an Admin unit, follow these steps:
- In Azure portal, go to Azure Active Directory > Administrative units.
- Click New administrative unit.
- Enter a name and (optionally) a description for the administrative unit then click Create.
In terms of Azure CLI, use the following command to create an administrative unit:
azurecli
az rest --method post --uri https://graph.microsoft.com/v1.0/directory/administrativeUnits --body '{ "displayName": "your-admin-unit-name" }' --headers Content-Type=application/json
Replace ‘your-admin-unit-name’ with the name you want to assign to your admin unit.
Adding A User To An Administrative Unit
To add a user to an administrative unit that you’ve just created:
- Go to Azure Active Directory > Administrative units.
- Click on the administrative unit you want to add the user to.
- Click Users > Add users.
- Select the users you want to add.
Alternatively, use the following Azure CLI command:
azurecli
az rest --method post --uri https://graph.microsoft.com/v1.0/directory/administrativeUnits/{id}/members/$ref --body '{ "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{id}" }' --headers Content-Type=application/json
Please replace `{id}` with the correct IDs of your administrative unit and user.
Assigning a Role to an Administrative Unit
Roles can be assigned at the administrative unit level. To assign a role:
- Go to Azure Active Directory > Roles and administrators.
- Click a role (such as Helpdesk Administrator).
- Click Add assignments.
- Select the Administrative units tab and select the administrative unit to which you want to assign the role.
The Azure CLI command is:
azurecli
az rest --method post --uri https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments --body "{ 'directoryScopeId': 'admin-unit-id', 'roleDefinitionId': 'role-definition-id', 'principalId': 'principal-id' }" --headers Content-Type=application/json
Please replace ‘admin-unit-id’, ‘role-definition-id’, and ‘principal-id’ with the correct IDs.
In conclusion, Administrative Units play a significant role in delegated administration scenarios. They offer an additional level of grouping and scoping for user, group, and device management. Through the use of Administrative Units, you can create a structured and more manageable Azure environment.
Practice Test
True or False: In the Azure portal, you can create administrative units within Azure Active Directory.
- True
- False
Answer: True
Explanation: Azure Active Directory allows you to organize users and groups into administrative units to delegate permissions over subsets of users or groups.
True or False: A user with directory roles in Azure AD cannot administer administrative units.
- True
- False
Answer: False
Explanation: In Azure AD, directory role members can administer administrative units. It depends on the particular role and the permissions it includes.
Which of the following is NOT a step in creating an administrative unit in Azure AD?
- a) Select Azure Active Directory
- b) Select Administrative units
- c) Select New
- d) Select Delete
Answer: d) Select Delete
Explanation: “Select Delete” is not a step in creating an administrative unit; it is a step in deleting an existing one.
True or False: You can delegate administrative duties to users on the entire directory.
- True
- False
Answer: True
Explanation: The “Global administrator” or “User administrator” roles in Azure Active Directory have permissions to manage all aspects of the entire directory.
When creating an administrative unit using ‘az ad admin-unit create’ command, a unique ObjectId is created for the administrative unit. True or False?
- True
- False
Answer: True
Explanation: Every administrative unit created using the Azure CLI commands assigns a unique ObjectId to the unit.
One of the advantages of using Administrative Units is:
- a) Allows delegation of administrative tasks
- b) Automatically upgrades the Azure subscription
- c) Provides virtual machines with more resources
Answer: a) Allows delegation of administrative tasks
Explanation: Administrative units help delegate administrative tasks and minimize the number of Global administrators by limiting scope to a specific department, region, or subsidiary.
What are the prerequisites for creating administrative units? Choose all that apply.
- a) Azure AD P2 subscription
- b) Global Administrator role
- c) Azure AD Premium P1 or P2 license for each user
- d) Directory reader role
Answer: b) Global Administrator role, c) Azure AD Premium P1 or P2 license for each user
Explanation: To create an administrative unit, you need Global Administrator role and each user who is a member of the Administrative unit requires an Azure AD P1 or P2 license.
What type of operations can be assigned to an admin of an administrative unit? Choose all that apply.
- a) Create or delete users
- b) Assign licenses
- c) Manage devices
- d) Reset user password
Answer: a) Create or delete users, b) Assign licenses, c) Manage devices, d) Reset user password
Explanation: An admin of an administrative unit has roles such as User Account administrator, Helpdesk admin, etc., which include creating or deleting users, assigning licenses, managing devices, resetting user passwords, and more.
You can add groups to an administrative unit. True or False?
- True
- False
Answer: True
Explanation: In Azure AD, you can add groups to an administrative unit to streamline the management of groups of users.
Users added to an administrative unit have automatic admin privileges. True or False?
- True
- False
Answer: False
Explanation: Simply adding users to an administrative unit does not grant them admin privileges. For a user to have admin privileges, they need to be assigned a specific administrative role.
To delegate separate administrative duties, you need to create separate administrative units. True or False?
- True
- False
Answer: True
Explanation: Creating separate administrative units allows you to delegate discrete administrative duties to different sets of admins. This way, admins can have scope over specific groups of users and perform specific tasks.
Can consultant users be added to administrative units in AzureAD?
- Yes
- No
Answer: Yes
Explanation: Consultant users can be added to administrative units in Azure AD. They can manage only a subset of user accounts and groups in the directory based on their assigned administrative unit.
True or False: Azure AD Conditional Access policies can be applied at the Administrative Unit level.
- True
- False
Answer: True
Explanation: Azure AD Conditional Access policies can be scoped to include or exclude specific Administrative Units, allowing for granular control over access policies.
True or False: Azure AD requires an Azure subscription to create administrative units.
- True
- False
Answer: False
Explanation: Azure AD, where you create administrative units, is an identity service that does not require an Azure subscription.
What is the maximum number of administrative units you can create in Azure AD?
- a) 100
- b) 500
- c) 1000
- d) There is no limit
Answer: d) There is no limit
Explanation: Azure AD does not impose a limit on the number of administrative units you can create. You can create as many as you need to meet your management needs.
Interview Questions
What is the first step to create an administrative unit in Azure Active Directory?
The first step to create an administrative unit in Azure Active Directory is to sign in to the Azure portal as a Global Administrator or Privileged Role Administrator.
How can you assign a role to a user in an administrative unit?
You can assign a role to a user in an administrative unit by going to the Azure portal, go to Azure Active Directory, then Roles and administrators, select the specific role, and then Assignments. Select Add assignments, choose the users and the administrative unit, then select Add.
Can you assign Azure AD roles to a group in an administrative unit?
No, currently Azure AD roles can only be assigned to individual users within an administrative unit.
How can you delete an administrative unit in Azure Portal?
You can delete an administrative unit in Azure portal by going to Azure Active Directory, then Administrative units. Select the name of the administrative unit that you want to delete, and then click Delete.
What type of roles can be assigned to users in an administrative unit?
Any built-in directory role, custom role, or administrative unit-scoped role can be assigned to the users in an administrative unit.
How many administrative units can you create in Azure AD?
You can create up to 5000 administrative units in a single Azure AD directory.
Are administrative units supported by Azure AD Free?
No, administrative units feature is only available for Azure AD Premium P1 and P2 editions.
Can administrative units be nested?
No, administrative units in Azure AD cannot be nested.
What is the purpose of administrative units in Azure AD?
Administrative units in Azure AD provide a way to delegate administrative tasks to a subset of users with specific roles, limiting their scope to a certain department, region, or other subsets of users.
Can a single user be a member of multiple administrative units?
Yes, a single user can be a member of multiple administrative units.
What is one of the key benefits of using administrative units in Azure AD?
One key benefit of using administrative units is that it helps to segment administrative tasks and duties, thus enhancing the overall security by limiting access and privileges of administrators to specific units.
Which Azure AD roles can manage administrative units?
The Global Administrator and Privileged Role Administrator roles can manage administrative units.
Can you create an administrative unit using PowerShell?
Yes, you can create an administrative unit using the New-AzureADMSAdministrativeUnit command in PowerShell.
Is it possible to move users from one administrative unit to another?
Yes, it is possible to move users from one administrative unit to another using the Azure AD PowerShell module or Graph API.
How can you view all administrative units in Azure AD?
In Azure Portal, by going to Azure Active Directory, and then clicking on Administrative units.