To delegate tasks, we use the creation of administrative units (AUs) and assign roles for specific tasks. In this configuration, we generate an HR [AU]
, and we assign the manager of the HR department with the role to manage user accounts in this scope.
First of all, we need to connect to our Azure AD with the PowerShell cmdlet Connect-AzureAD for the [email protected]
user.
Use the following cmdlets to create the HR [AU]
:
New-AzureADAdministrativeUnit -Description "Human Resources Users" -DisplayName "HR"
View the expected output:
Newly created administrative unit
Next, we will add the related users.
Next, we add the users of the HR department to the HR [AU]
. Use the following cmdlets to do this:
$HRAU = Get-AzureADAdministrativeUnit -Filter "displayname eq 'HR'" $initialDomain = (Get-AzureADDomain)[0].Name $HRUser1 = Get-AzureADUser -Filter "UserPrincipalName eq 'don.hall@$InitialDomain'" $HRUser2 = Get-AzureADUser -Filter "UserPrincipalName eq 'ellen.adams@$InitialDomain'" Add-AzureADAdministrativeUnitMember -ObjectId $HRAU.ObjectId -RefObjectId $HRUser1.ObjectId Add-AzureADAdministrativeUnitMember -ObjectId $HRAU.ObjectId -RefObjectId $HRUser2.ObjectId Get-AzureADAdministrativeUnitMember -ObjectId $HRAU.ObjectId | Get-AzureADUser
The output of the preceding command is as follows:
Newly added users overview
Next, we will use the scoping options.
In the next step, we assign the user account administrator role. Verify available roles with the following cmdlet:
Get-AzureADDirectoryRoleTemplate
Now, we enable the user account administrator role with the following cmdlet:
Enable-AzureADDirectoryRole -RoleTemplateId fe930be7-5e62-47db-91af-98c3a49a38b1
Set variables and assign the user to the role:
$admins = Get-AzureADDirectoryRole foreach($i in $admins) { if($i.DisplayName -eq "User Account Administrator") { $uaAdmin = $i } } $HRUA = Get-AzureADUser -Filter "UserPrincipalName eq 'Don.Hall@$InitialDomain'" $uaRoleMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo -Property @{ ObjectId = $HRUA.ObjectId } Add-AzureADScopedRoleMembership -RoleObjectId $uaAdmin.ObjectId -ObjectId $HRAU.ObjectId -RoleMemberInfo $uaRoleMemberInfo
The output of the preceding command is as follows:
User Account Administrator assignment
Next, we will test our configuration.
Open a new PowerShell and connect with the Connect-MsolService
command to the Azure AD, and log in with [email protected]
credentials.
Modify a user account assigned to the HR administrative unit:
Set-MsolUser -UserPrincipalName [email protected] -Department HR
Verify your modification:
Get-MsolUser -UserPrincipalName [email protected] | select Department
Next, we will protect an administrative account with the Privileged Identity Management (PIM) features of Azure AD Premium P2. We recommend using Azure MFA to protect your administrative accounts, if you don't want to invest in Azure AD Premium P2.