Tag: AAD

Configuring Azure Administrative Units

Hey guys,

I’m back and today I’m going to talk about Azure Administrative Units. The idea to talk about this came from a recent request from one of the customers of the company I currently work for.

The request was that due to the fact that the customer has several sites, in different countries, the IT department needed to have an administrator in each of these locations, but this administrator would still need to manage only the users from that specific location.

Well, to start, I need to say that to make use of Administrative Units, you need to have at least the Azure AD Premium P1 license. That said, let’s get down to business.

Open Azure and go to Azure Active Directory

AU_01

You will find the Administrative Units option in the Manage blade on the left side.

Click on Administrative Units and then hit Add. The next step will now be to give a name to the Administrative Unit, select which Role the administrator will have and  finally select the user who will be the administrator itself.

AU_02

Well, in this scenario I configured as follows:

  • Name: France Users
  • Role: User Administrator
  • Administrative Unit Administrator: IT Test

To recap, the user “IT Test” will have the role “User Administrator” in the Administrative Unit called “France Users”

OK? Now it’s simple, we just need to put the users that would be managed by the Administrative Unit Administrator manually or through a Dynamic Rule in the Administrative Unit.

Returning to the portal, click on Administrative Units and you should see the Administrative Unit that was created according to the previous steps.

AU_03

As you can see, by default when you create an Administrative Unit the “Membership Type” option is set to assigned, that is, you need to add users manually.

But we know that this is a flawed process and sooner or later you will miss an user and we know where this can go, so automating this process is the best solution, and that’s where the Dynamic Rule comes in.

Ok, go back to the portal and click on the Administrative Unit you created earlier and you should see something similar to the image below.

AU_04

Now click on Properties (Preview) and then change the Membership Type option to Dynamic User and then suggest an option called “Add Dynamic Query”

AU_05

Click on “Add Dynamic Query” and configure the rule that best suits your scenario. In my scenario I will base myself on the user’s Country being “France”.

AU_06

Hit save twice and the Dynamic Query has been created. That is, every user that is created or changed in Azure AD and in its country of location is France, it will be automatically added to this Administrative Unit.

AU_08

Ok, within a few minutes you will see that the users blade inside your Administrative Unit will start to be populated by all those users that apply the created rule.

AU_07

There it’s, my users from France have been added to the Administrative Unit and as you can see the options to add and remove member are greyed out.

Now you might be wondering, how do I test this? Simple, your administrator needs to log either into admin.microsoft.com or mystaff.microsoft.com.

AU_09

After the logon, ask your Administrative Unit administrator to select the wanted Administrative Unit and he will be able to see all the users he manages.

AU_10

Or if he logs on the Microsoft 365 admin portal, he will be able to see the below:

AU_11

Okay, but you may be wondering (again), what if your administrator still decides to access Azure AD? In this case he will still be able to see all users and groups, but he will only be able to manage the users of the Administrative Unit he has rights. All other users will show the greyed out properties.

AU_12

That’s it folks, a simple and easy solution in case of remote location administrators or small departments and so on. You can explore several scenarios with this setup, enjoy.

See you soon.

Joao Costa

Creating Dynamic Groups on Azure AD

00

Hey guys,

In today’s post, I’ll talk about a simple but very efficient subject, Dynamic Groups. Dynamic Groups are groups based on rules and if users match to a rule they will be added automatically in a group (Groups for devices can also be created). In other words, Dynamic Groups solve that pain of any administrator to keep their groups and distribution lists up to date. For example in the environment where I work we create groups based on locations, departments and the famous group “All”. From the moment you create the groups and rules, the only work needed from then on will be: Create the users correctly, I mean, fill in all the fields correctly so that this new user fits the rule that belongs to him.

That said, let’s get start.

Go to the Azure portal and open the “Azure Active Directory” blade.

Then select Groups > New Group and you will see the following screen (For this post I will create a group for email purposes, but you can use as a Security group as well). Fill up all the fields and select Dynamic User on Membership Type.

1

The next step is to create the rule that would add users automatically based on the added criteria.

In this example rule, all users who have the field department filled with the words “Information Technology” will be added to the GetPractical group automatically.

2

If you want to validate the rule, click on the “Validate Rules” tab, manually add some users and then click on ”Validate”. The rule will tell you which of the users you have added fits the criteria entered in your rule.

4

3

As you can see from my example above, only one of the users fulfils the criteria entered in this rule.

Now click save and then click create.

Just a point of attention: If you like me have the need to create a group for all employees, I advise you to create a rule that initially doesn’t work and then turn off the welcome email function. Unfortunately there is no possibility to turn off this feature during group creation, so the only way I found at this time was to create a rule that doesn’t work or a rule that only includes you and then turn off the welcome notifications and also the mapping from the group in Outlook.

7

In the image above the example of the welcome email and the group mapped in Outlook.

10

For you to turn off these two features you need to connect to Exchange Online (Microsoft 365) and execute the commands used above.

Example below:

Set-UnifiedGroup -Identity “All@getpractical.co.uk” -UnifiedGroupWelcomeMessageEnable:$false
Set-UnifiedGroup -Identity “All@getpractical.co.uk” -HiddenFromExchangeClientsEnabled:$true

That’s all for today guys, see you soon.

Joao Costa