Creating Azure AD AUs
Azure AD AUs are used in scenarios where granular administrative control is required. AUs have the following prerequisites:
- An Azure AD Premium P1 license is required for each AU administrator.
- An Azure AD Free license is required for AU members.
- A privileged role administrator or global administrator is required for configuration.
Tip
AUs can be created via the Azure portal or PowerShell.
The easiest way to explain AUs is by using a scenario. A company called Contoso is a worldwide organization with users across 11 countries. Contoso has decided that each country is responsible for its own users from an administrative point of view. That is where Azure AD AUs come in handy. With AUs, Contoso can group users per country and assign administrators that only have control over these users and cannot administrate users in other countries.
The following diagram displays a high-level overview of how AUs work in the same tenant across different departments. The following example is based on different regions:
Figure 1.8 – An AU overview displaying the separation of users for US sales and UK sales
The following roles can be assigned within an AU:
- Authentication administrator
- Groups administrator
- Help desk administrator
- License administrator
- Password administrator
- User administrator
Important Note
Groups can be added to the AU as an object; therefore, any user within the group is not automatically part of the AU.
Now, let's go ahead and create an AU via the Azure portal:
- Navigate to the Azure portal by opening a web browser and browsing to https://portal.azure.com.
- In the left-hand menu, select Azure Active Directory.
- Under the Manage blade of Azure AD in the left-hand menu, select Administrative units and click on + Add:
Figure 1.9 – The AU blade within Azure AD
- Enter a name for the group. I'm using
South Africa Users. In the Description field, it is best practice to add a brief description of what this AU is going to be used for:
Figure 1.10 – The creation blade for an AU
- Next, under Assign roles, add the users that you want to be administrators based on the available roles. Then, select Password administrator and choose PacktUser1.
- Click on Review + create:
Figure 1.11 – The AU summary page
- The next step is to add all the users you want PacktUser1 to manage; in our case, we need to add PacktUser1, PacktUser2, and PacktUser3. On the left-hand side, under Manage, click on Add member and select the members:
Figure 1.12 – Adding users to the AU
Figure 1.13 – Displaying the users added to the AU
- You can now log in with PacktUser1, and you should be able to reset the password of PacktUser2.
Important Note
Remember, you need to assign an Azure AD P1 license to administrators within the AU.
In this section, we explained what an AU is and how it can be used. Additionally, we went through the creation of an AU step by step.
We encourage students to read up further by using the following links, which will provide additional information around AU management:
- https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-manage
- https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-add-manage-users
Now, let's move on and take a look at how to manage user and group properties.