Delegated administration with Azure Active Directory units of administration – News Block

Office 365 comes with a set of admin roles that can be assigned to users within your organization. Each admin role maps to common business functions and gives its users permissions to perform specific tasks in the Office 365 admin center and Windows PowerShell.

This is especially true for large organizations or universities with multiple brands or decentralized management within a single Office 365 tenant, default admin roles can cause headaches. While permission delegation in Exchange Online works great with role-based access control (RBAC), other apps and services are difficult to manage at a granular level. For example, license management or helpdesk for different countries, brands and organizations. In these organizations, only a subset of administrative users can edit properties based on their region or brand.

Azure Active Directory administrative units are a container for resources that can be used to delegate administrative permissions and apply policies to a subset of users. They allow central administrators to delegate permissions based on region, brand, or set policy at a granular level. It simply groups your users into logical units. An administrator will be able to perform various tasks against all users within the scope of an administrative unit.

As of this writing, OUs are still in public preview and the global administrator must be assigned a Premium Azure Active Directory license, while users within OUs need Azure Active Directory Basic licenses. In this preview, only users can be assigned to resources. Once created and populated, the administrative unit can be used as a scope to restrict the permission granted to only the resources contained in the administrative unit. Also, there are only two roles available: user account administrator and Help desk administrator.

Before we can begin, the public preview of the Azure Active Directory module must be installed:

Azure AD preview of installation module
Connect to Azure Active Directory with Office 365 Global Administrator:
Connect-AzureAD

This blog post covers three examples of delegated administration for the “User Account Administrator” role for a specific region, “Help Desk Administrator” for users within a specific department, and we’ll assign an Exchange administrator to a specific administrative unit.

The following administrator user accounts are available:

Get-AzureADUser
Object ID Display Name User Principal Name User Type
——– ———– ——– ——–
f1851b74-617d-40c9-8943-30ac58e84f48 Dominik Hoefling (at work) info@dominikhoefling.com Member
6d381b8c-7e16-4601-81ab-79333efb61c6 Dominik Hoefling (Exchange Lab) info@exchange-lab.de Member

“Dominik Hoefling (Exchange Lab)” is the user account administrator for the US, Dominik Hoefling (at work)” is the help desk administrator for Germany, and also the Exchange administrator for a certain administrative unit.

Note: There are currently no parameters such as -Department, -Office, or -Country. And there’s no dynamic membership, you have to manually add users to the administrative unit, which also means you have to keep it up to date. The -Country attribute on this blog is only used to easily add members to different administrative units.

user manager

The requirement is to have multiple user account administrators for only a subset of users within a specific region. This example allows the privileged user “Dominik Hoefling (at work)” to manage users located in the US and deny administration to users located in Germany.

Run steps 1 through 5 with a global administrator account:

1. Enable user account management role:
   $UserServiceAdmin = Get-AzureADDirectoryRoleTemplate | Where-Object {$_.DisplayName -eq “User Account Admin”}
   Enable-AzureADDirectoryRole -RoleTemplateId $UserServiceAdmin.ObjectId
   To get a list of all available role templates, run the Get-AzureADDirectoryRoleTemplate cmdlet.
2. Create and complete the administrative unit:
   New-AzureADAdministrativeUnit -Description “US region” -Displayname “USA”
3. Add the user “Andreas Bode (Exchange Lab)”, or all of his US-based users, to the administrative unit:
   $USAU = Get-AzureADAdministrativeUnit -Filter “displayname eq ‘US'”
   $USUsers = Get-AzureADUser -Filter “UserPrincipalName eq ‘andreas.bode@exchange-lab.de'”
   Add-AzureADAdministrativeUnitMember -ObjectId $USAU.ObjectId -RefObjectId $USUsers.ObjectId
4. Add the US scoped admin user account role member “Dominik Hoefling (Exchange Lab)”:
   $USUserAdmin = Get-AzureADUser -Filter “UserPrincipalName eq ‘info@exchange-lab.de'”
   $USUserAdminRoleMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo -Property @{ ObjectId = $USUserAdmin.ObjectId}
   $UAUserAdmin = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq “User Account Admin”}
   Add-AzureADScopedRoleMembership -RoleObjectId $UAUserAdmin.ObjectId -ObjectId $USAU.ObjectId -RoleMemberInfo $USUserAdminRoleMemberInfo
5. Get a list of US-scoped administrative unit administrators:
   Get-AzureADScopedRoleMembership -ObjectId $USAU.ObjectId | Florida
   Administrative Unit Object ID: 1141b4e9-a721-4331-afed-c669c7dc53d7
   Identification: cB-Eb4FD30G02cIJxg1lyum0QREhpzFDr-3GacfcU9eMGzhtFn4BRoGreTM–2HGU
   Role Object ID: 6f841f70-4381-41df-b4d9-c209c60d65ca
   RoleMemberInfo: class RoleMemberInfo {

Display Name: Dominik Hoefling (Exchange Lab)
Object ID: 6d381b8c-7e16-4601-81ab-79333efb61c6
UserPrincipalName: info@exchange-lab.de }

6. After verifying this, sign in to the Office 365 admin portal with the account “Dominik Hoefling (Exchange Lab)” and see which users and accounts can be managed

Only members of the administrative unit (step 3) can be viewed and edited with “User Account Administrator” privileges.

The same behavior applies to Windows PowerShell:

Set-AzureADUserPassword -ObjectId “f1851b74-617d-40c9-8943-30ac58e84f48” -Password $password
Set-AzureADUserPassword: An error occurred while executing SetUser
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
Online: 1 Character: 1
+set-AzureADUserPassword -ObjectId “f1851b74-617d-40c9-8943-30ac58e84f…
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo: NotSpecified: (:) (Set-AzureADUserPassword), ApiException
+ Fully qualified bug ID: Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.Graph.PowerShell.Custom.C
mdlet.Set user password

Help Desk Administrator

The requirement is to have multiple help desk administrators for only a subset of users within a specific region. You can perform the same steps to configure the “User Account Manager” administrative unit. If necessary, change the user variables or filter to a different region, country, or any other attribute. You just have to take care of the correct ObjectIds of the administrative unit, the administrator role, and your users.

Exchange Online Delegation

For starters, it is not possible to create other administrative unit administrator roles at the time of writing this article. For example, if you want to add the scoped role membership to “Exchange Service Manager”, you will receive the following error message: