Understanding Azure Administrative Units for Secure Management

Azure Administrative Units are a way to organize and manage access to Azure resources in a hierarchical structure. This allows for more granular control over who can access what resources.

Each unit can contain multiple subscriptions, making it easier to manage access and permissions across multiple resources. This is particularly useful for large enterprises with many subscriptions.

Administrative Units can be used to delegate management tasks to different teams or departments within an organization. This helps to reduce the complexity of managing multiple subscriptions and resources.

By using Administrative Units, organizations can improve security and compliance by limiting access to sensitive resources.

An Administrative Unit in Azure is essentially a container for Entra ID resources, which can include users, groups, and other resources you want to manage as a single entity.

By using Administrative Units, you can delegate administrative tasks and permissions to specific users and limit their access to only the resources within that unit.

Administrative Units help you manage your Azure resources more efficiently by allowing you to assign roles to users at the scope of the unit, which limits their administrative permissions.

An Administrative Unit is a powerful tool for managing your Azure resources, but it's not the only option available.

Restricted Management Administrative Units provide an additional layer of security for privileged accounts by restricting who can manage these accounts.

You need Azure administrative units to ensure users and applications have the minimum level of access needed to perform required tasks, aligning with Microsoft's principle of least privilege.

Assigning a user to a specific role, like User Administrator, grants them rights to manage all users in the organization, which might not always be necessary.

Only certain Azure AD roles can be assigned to an administrative unit, including Authentication administrator, Password administrator, and User administrator.

As organizations grow and become more complex, the need for granular control over administrative tasks and permissions becomes apparent.

Restricted Management Administrative Units provide several key benefits, making them a valuable tool for organizations of all sizes.

To create an administrative unit, you need to sign in to the Azure portal as a Global Administrator. Navigate to Entra ID -> Administrative Units, click on “+ Add”, enter a name for the unit and an optional description, enable “Restricted Management Administrative Unit” setting, and click “Create”.

You can add users, groups, and devices to an administrative unit. To add users, select Azure Active Directory -> Administrative units, choose the administrative unit, and select Users -> +Add member. On the Add member pane, select one or more users that you want to add to the administrative unit.

To add groups, select Azure Active Directory -> Administrative units, click on the administrative unit, and navigate to Groups -> +Add. Select the groups you want to add to the administrative unit. Note that dynamic groups cannot be added to an administrative unit.

Administrative units can also be created using PowerShell or Microsoft Graph API. You can use the Azure portal, PowerShell, or Microsoft Graph to manage administrative units.

To assign roles to users at the scope of the unit, navigate to the unit in the Azure portal, click on “Roles and administrators”, and then click on the role you want to delegate and the user you want to assign it to. The user will only have the permissions of the assigned role for the resources within the administrative unit.

Here are the steps to add users to an administrative unit:

You can also use PowerShell or Microsoft Graph API to add users to an administrative unit.

Here are the steps to add groups to an administrative unit:

Note that when you add a group to an administrative unit, only the group is added and not the members of the group. This means that the AU admin can manage the properties of the group alone, not that of the members of the group.

Administrative Units in Azure can inherit permissions from their parent units, allowing for a more organized and controlled environment. This inheritance can help reduce administrative overhead and make it easier to manage access to resources.

Roles assigned at the tenant level can override permissions within an Administrative Unit, giving users more access than intended. For example, a User Administrator role at the tenant level can still reset passwords for users in an Administrative Unit, even if they're not supposed to.

To prevent this, Restricted Management Administrative Units can be used to limit permissions to specific resources and users. By adding users to a Restricted Management Administrative Unit, you can ensure that only authorized personnel can manage their accounts.

In Azure, group inheritance allows someone with the ability to change group membership to also modify administrative unit membership.

This means that a Groups administrator or Groups owner can add more users to a group, and thereby change the administrative unit membership.

If dynamic membership were allowed, it would be possible for anyone who can modify the user attribute to change administrative unit membership.

However, this would require careful management to avoid unintended changes.

If group inheritance were allowed, it would be more straightforward to manage administrative unit membership, but it would also introduce potential security risks if not implemented correctly.

You can use Restricted Management Administrative Units to control access to sensitive applications. By adding these applications to a Restricted Management Administrative Unit, you can ensure that only users who have been assigned a role within the scope of that unit can manage the application.

Restricted Management Administrative Units provide a way to limit who can manage sensitive applications, protecting your sensitive data. This can help to prevent unauthorized changes to the application and protect your sensitive data.

You can create a Restricted Management Administrative Unit specifically for sensitive applications, and then assign users to roles within that unit. This way, only authorized personnel can access and manage the sensitive applications.

For example, if you have an application that contains sensitive customer data, you can add it to a Restricted Management Administrative Unit and assign users to roles within that unit. This ensures that only authorized personnel can access and manage the application.

Here are some benefits of using Restricted Management Administrative Units for sensitive applications:

By implementing Restricted Management Administrative Units for sensitive applications, you can ensure that your sensitive data is protected and only accessed by authorized personnel.

Azure Administrative Units (AUs) are a powerful tool for delegation and management, but they do come with some limitations and constraints. You can only add users and groups to an administrative unit, not devices.

Administrative units require Azure AD premium licenses, and not all Azure AD administrative roles are available for assignment. You can only assign one of six specific roles to an administrative unit: Authentication administrator, Password administrator, User administrator, Helpdesk administrator, License administrator, or Groups administrator.

AUs apply scope only to management permissions, not to user permissions. This means that users can still browse other users, groups, or resources outside their administrative unit, even if they're not supposed to.

You can only assign groups individually to an administrative unit, no bulk operations are supported. And, you need to be aware that users can be assigned to one or more AUs, which can make management more complex.

Here are some key limitations of AUs:

Restricted Management Administrative Units have their own set of limitations and constraints. They're limited to certain object types, role assignments, and role scope. Even Global Administrators can't manage resources within a Restricted Management Administrative Unit unless they're assigned a role within the unit's scope.

There are also constraints on role assignment scope and limit: the scope of the role is automatically set to the Restricted Management Administrative Unit, and each unit can have a maximum of 100 role assignments. And, a single Entra ID tenant can have up to 500 Administrative Units, including Restricted Management Administrative Units.

Restricted Management Administrative Units are a game-changer for Azure security. By using them, you can limit who can manage privileged accounts, such as those of Global Administrators, to specific users or groups.

Even Global Administrators cannot manage accounts within a Restricted Management Administrative Unit unless they have been assigned a role within the scope of that unit. This adds an extra layer of security and helps to protect your privileged accounts from unauthorized changes.

Restricted Management Administrative Units also provide a clear and auditable trail of who has access to what resources and what they can do with those resources. This can help you meet compliance requirements by providing a detailed record of administrative tasks.

You can easily delegate administrative tasks to specific users or groups, and limit their permissions to specific resources. This is especially useful for organizations subject to regulations that require them to limit access to certain resources and control who can perform administrative tasks.

By using Restricted Management Administrative Units, you can control access to sensitive applications and prevent unauthorized changes. This is particularly important for applications that contain sensitive data or perform critical business functions.

To manage administrative units in Azure Active Directory, you need to be a Privileged Role Administrator or Global Administrator. These roles give you the necessary permissions to create, remove, populate, and add roles to administrative units.

Azure Active Directory allows you to assign admin roles for an administrative unit. This is done by navigating to Azure Active Directory -> Administrative units, selecting the unit, and then selecting Roles and administrators. From there, you can choose the role you need to assign, such as the User administrator role.

To assign admin roles at an administrative unit level, your organization needs an Azure AD Premium P1 or P2 license. This is because the "+Add assignments" button will be greyed out without this license.

Administrative units can be used to logically group Azure AD resources, making it easier to manage users and groups. For example, an organization with a scattered IT department can create units that define relevant geographical boundaries.

You can use Azure AD or Microsoft 365 portal for basic management of users and groups within administrative units. For more advanced operations, you can use PowerShell or Microsoft Graph.

To automate your activities around administrative units, you can use the Microsoft Graph PowerShell Module. This allows you to automate tasks such as creating and managing administrative units.

To create an administrative unit, sign in to the Azure portal as a Global Administrator, navigate to Entra ID -> Administrative Units, and click on “+ Add”. You can then enter a name for the unit, an optional description, and enable the “Restricted Management Administrative Unit” setting.

Once you've created an administrative unit, you can start adding resources to it. You can add users, groups, and devices, and specify the membership type as either a dynamic user or dynamic device. This allows you to create dynamic administrative units that automatically include all users or devices that meet certain criteria.

Here's a summary of the steps to create and manage an administrative unit:

Remember, the user will only have the permissions of the assigned role for the resources within the administrative unit. This allows you to delegate administrative tasks in a controlled and secure manner.