Administrative Units

Authors
  • avatar
    Name
    Michael Bui
    Twitter

Overview

Documentation: Microsoft Docs

Administrative units are organizational containers for users, groups, and devices. They can be used to restrict administrative scope. In this example we're going to divide the administrative units into 3 different city offices.

In this lab, we're going to create 3 dynamic administrative units for the Vancouver, Toronto, & Calgary departments. We're then going to assign a helpdesk admin to each administrative unit.

Steps

Creating Administrative Units

  1. Go to Azure Active Directory -> Administrative Units -> Add and provide a name
  2. Select the which administrator role to add. We're going to choose helpdesk
  3. Select a user to assign this role
  4. Repeat for the other offices

Dynamic Assignment

Documentation: Microsoft Docs

  1. Go into properties of the administrative unit & change membership to dynamic user
  2. Configure dynamic assignment rules
  3. Repeat for the other cities

Validation

  • If we go back into the Vancouver Administrative Unit we'll see that it's been populated with users that have the city property equal to Vancouver

  • We are going to log into the Helpdesk - Vancouver user to test if our administrative units work.

  • Looking at the roles assigned we can see that we have the Helpdesk administrator role only on the resource Vancovuer Office

  • We should be able to reset the passwords for the users listed above, but not be able to reset passwords of other users.

  • We are able to reset the password of Kevin Jackson who is a part of the Vancouver administrative unit

  • If we attempt to reset the password of Emily Grant who is a part of the Toronto administrative unit, we'll be denied