Administrative Units in Azure Active Directory – why do we need them ?

Active Directory

One of the main building blocks from day one of an on premises Active Directory has been the concept of an Organizational Unit (OU) – containers for user, group and computer objects.

OUs allowed the directory administrator to logically partition the directory into a set of management units thus allowing delegation of administration across the directory as well as providing a means to target Group Policy to specific users/computers.

Take the example of a college with 5 sites. The directory admin could create an OU for each site, with each site OU having a Computer & User OU. This would allow delegation of admin tasks – such as password reset – to site admins – thereby spreading the admin load

Azure Active Directory

In contrast to on premises AD – Azure AD (AAD) is a flat structure containing user, groups & computer objects.  This meant it was impossible to create a logical structure as before. In turn, this means that users assigned for example the Helpdesk admin Role in AAD had that role right across the entire directory.

Administrative Units  (AUs) , currently in preview, solve that problem in AAD. These allow the Global Admin to partition the directory into multiple AUs, assign one or more Administrative roles to a user, and assign that user to an AU. At that stage the user can use those role privileges to manage the users and groups in that AU.

au-2

In our college example we could create an AU for each site (Belfast below) and populate those units with user objects from the directory.  Assign a manager by drilling down through one or more roles.

au-1

 

Here, Megan has been assigned the Helpdesk administrator role in the Belfast AU. You can see that the Scope has been assigned to This resource (ie the AU itself and not the entire directory)

au-3

At the time of writing AUs can contain user and group objects. Note that in the latter case the group itself is not expanded – rather it gives the manager of the AU the ability to manage membership of that group as well as change the group name.

Note also that nesting of AUs is not supported.

Administrative Units can be managed in the Azure Portal as well as PowerShell & Microsoft Graph.

In a follow up blog post we’ll look at the My Staff application (also in preview) which leverages AU capabilities by providing a user friendly interface to designated managers to manage their staff – rather than use the Microsoft 365 Admin Center.

 

Leave a Reply