Delegated Administration with Azure Lively Listing Admin Items | Digital Noch

Workplace 365 comes with a set of admin roles that may be assigned to customers inside your group. Every admin position maps to widespread enterprise features and provides your customers permissions to do particular duties within the Workplace 365 admin heart and Home windows PowerShell.

That is very true for giant organizations or universities with a number of manufacturers or decentralized administration inside a single Workplace 365 tenant, the default admin roles could cause complications. Whereas the delegation of permissions in Change On-line works very nicely with Function Primarily based Entry Management (RBAC), different purposes and providers are arduous to handle at a granular degree. For instance, license administration or helpdesk for various nations, manufacturers, and organizations. In these organizations, solely a subset of administrative customers are allowed to edit properties primarily based on their area or model.

Azure Lively Listing administrative models are a container of sources that can be utilized for delegating administrative permissions and making use of insurance policies to a subset of customers. They allow central directors to delegate permissions primarily based on area, model or to set a coverage at a granular degree. It merely teams your customers into logical models. An admin will have the ability to carry out varied duties in opposition to all customers inside the scope of an administrative unit.

On the time of writing, administrative models are nonetheless in public preview and the worldwide admin must have an Azure Lively Listing Premium licensed assigned whereas customers inside the administrative models wants Azure Lively Listing Primary licenses. On this preview, solely customers might be assigned to sources. As soon as created and populated, the executive unit can be utilized as a scope to limit the granted permission solely over sources contained within the administrative unit. Additionally, there are solely two roles accessible: Person Account Administrator and Helpdesk Administrator.

Earlier than we are able to begin, the Azure Lively Listing Module public preview launch must be put in:

Set up-Module AzureADPreview
Connect with Azure Lively Listing with the Workplace 365 world admin:
Join-AzureAD

This weblog publish covers three examples of delegated administration for the position “Person Account Administrator” for a particular area, “Helpdesk Administrator” for customers inside a particular division, and we’ll scope an Change administrator to a particular administrative unit.

The next admin consumer accounts can be found:

Get-AzureADUser
ObjectId DisplayName UserPrincipalName UserType
——– ———– —————– ——–
f1851b74-617d-40c9-8943-30ac58e84f48 Dominik Hoefling (atwork) information@dominikhoefling.com Member
6d381b8c-7e16-4601-81ab-79333efb61c6 Dominik Hoefling (Change Lab) information@exchange-lab.de Member

“Dominik Hoefling (Change Lab)” is the consumer account administrator for US, Dominik Hoefling (atwork)” is the helpdesk administrator for Germany, and as nicely the Change administrator for a sure administrative unit.

Word: There are presently no parameters like -Division, -Workplace, or -Nation. And there’s no dynamic membership, you should manually add the customers to the executive unit, which additionally means you should maintain it updated. The -Nation attribute on this weblog is simply used to simply add members to totally different administrative models.

Person Administrator

The requirement is to have a number of consumer account directors just for a subset of customers inside a particular area. This instance permits the privileged consumer “Dominik Hoefling (atwork)” to administrate customers primarily based in US and deny administration for customers positioned in Germany.

Run steps 1 – 5 with a world admin account:

1. Allow the Person Account Administration Function:
   $UserServiceAdmin = Get-AzureADDirectoryRoleTemplate | The place-Object $_.DisplayName -eq “Person Account Administrator”
   Allow-AzureADDirectoryRole -RoleTemplateId $UserServiceAdmin.ObjectId
   To get an inventory of all accessible position templates, run the Get-AzureADDirectoryRoleTemplate cmdlet.
2. Create and populate the executive unit:
   New-AzureADAdministrativeUnit -Description “US area” -Displayname “US”
3. Add consumer “Andreas Bode (Change Lab)” – or all of your customers primarily based within the US – to the executive unit:
   $USAU = Get-AzureADAdministrativeUnit -Filter “displayname eq ‘US’”
   $USUsers = Get-AzureADUser -Filter “UserPrincipalName eq ‘andreas.bode@exchange-lab.de'”
   Add-AzureADAdministrativeUnitMember -ObjectId $USAU.ObjectId -RefObjectId $USUsers.ObjectId
4. Add US-scoped admin consumer account “Dominik Hoefling (Change Lab)” position member:
   $USUserAdmin = Get-AzureADUser -Filter “UserPrincipalName eq ‘information@exchange-lab.de'”
   $USUserAdminRoleMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Mannequin.RoleMemberInfo -Property @ ObjectId = $USUserAdmin.ObjectId
   $UAUserAdmin = Get-AzureADDirectoryRole | The place-Object $_.DisplayName -eq “Person Account Administrator”
   Add-AzureADScopedRoleMembership -RoleObjectId $UAUserAdmin.ObjectId -ObjectId $USAU.ObjectId -RoleMemberInfo $USUserAdminRoleMemberInfo
5. Get an inventory of US scoped administrative models admins:
   Get-AzureADScopedRoleMembership -ObjectId $USAU.ObjectId | fl
   AdministrativeUnitObjectId : 1141b4e9-a721-4331-afed-c669c7dc53d7
   Id                         : cB-Eb4FD30G02cIJxg1lyum0QREhpzFDr-3GacfcU9eMGzhtFn4BRoGreTM–2HGU
   RoleObjectId               : 6f841f70-4381-41df-b4d9-c209c60d65ca
   RoleMemberInfo             : class RoleMemberInfo

DisplayName: Dominik Hoefling (Change Lab)
ObjectId: 6d381b8c-7e16-4601-81ab-79333efb61c6
UserPrincipalName: information@exchange-lab.de 

 

6. After this has been checked, log in to the Workplace 365 admin portal with the “Dominik Hoefling (Change Lab)” account and see what customers and accounts might be managed

Solely members within the administrative unit (step 3) might be considered and edited with the “Person Account Administrator” privileges.

The identical habits applies to Home windows PowerShell:

Set-AzureADUserPassword -ObjectId “f1851b74-617d-40c9-8943-30ac58e84f48” -Password $password
Set-AzureADUserPassword : Error occurred whereas executing SetUser
Code: Authorization_RequestDenied
Message: Inadequate privileges to finish the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Accomplished
At line:1 char:1
+ Set-AzureADUserPassword -ObjectId “f1851b74-617d-40c9-8943-30ac58e84f …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         + CategoryInfo          : NotSpecified: (:) [Set-AzureADUserPassword], ApiException
         + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Consumer.ApiException,Microsoft.Open.AzureAD16.Graph.PowerShell.Customized.C
         mdlet.SetUserPassword 

Helpdesk Administrator

The requirement is to have a number of helpdesk directors for under a subset of customers inside a particular area. You’ll be able to undergo the identical steps to configure the “Person Account Administrator” administrative unit. If required, change the variables or the consumer filter on a unique area, nation or another attribute. You solely must deal with the right ObjectId’s of the executive unit, admin position and your customers.

Change On-line Delegation

To start with, it’s not doable to create different administrative unit admin roles on the time of writing. For instance, if you wish to add the scoped position membership to the “Change Service Administrator”, you’ll obtain the next error message: