Delegated Administration with Azure Lively Listing Admin Items | Digital Noch

Delegated Administration with Azure Lively Listing Admin Items | Digital Noch
Workplace 365 comes with a set of admin roles that may be assigned to customers inside your group. Every admin position maps to widespread enterprise features and provides your customers permissions to do particular duties within the Workplace 365 admin heart and Home windows PowerShell.

That is very true for giant organizations or universities with a number of manufacturers or decentralized administration inside a single Workplace 365 tenant, the default admin roles could cause complications. Whereas the delegation of permissions in Change On-line works very nicely with Function Primarily based Entry Management (RBAC), different purposes and providers are arduous to handle at a granular degree. For instance, license administration or helpdesk for various nations, manufacturers, and organizations. In these organizations, solely a subset of administrative customers are allowed to edit properties primarily based on their area or model.

Azure Lively Listing administrative models are a container of sources that can be utilized for delegating administrative permissions and making use of insurance policies to a subset of customers. They allow central directors to delegate permissions primarily based on area, model or to set a coverage at a granular degree. It merely teams your customers into logical models. An admin will have the ability to carry out varied duties in opposition to all customers inside the scope of an administrative unit.

On the time of writing, administrative models are nonetheless in public preview and the worldwide admin must have an Azure Lively Listing Premium licensed assigned whereas customers inside the administrative models wants Azure Lively Listing Primary licenses. On this preview, solely customers might be assigned to sources. As soon as created and populated, the executive unit can be utilized as a scope to limit the granted permission solely over sources contained within the administrative unit. Additionally, there are solely two roles accessible: Person Account Administrator and Helpdesk Administrator.

Earlier than we are able to begin, the Azure Lively Listing Module public preview launch must be put in:

Set up-Module AzureADPreview
Connect with Azure Lively Listing with the Workplace 365 world admin:

This weblog publish covers three examples of delegated administration for the position “Person Account Administrator” for a particular area, “Helpdesk Administrator” for customers inside a particular division, and we’ll scope an Change administrator to a particular administrative unit.

The next admin consumer accounts can be found:

ObjectId DisplayName UserPrincipalName UserType
——– ———– —————– ——–
f1851b74-617d-40c9-8943-30ac58e84f48 Dominik Hoefling (atwork) Member
6d381b8c-7e16-4601-81ab-79333efb61c6 Dominik Hoefling (Change Lab) Member

“Dominik Hoefling (Change Lab)” is the consumer account administrator for US, Dominik Hoefling (atwork)” is the helpdesk administrator for Germany, and as nicely the Change administrator for a sure administrative unit.

Word: There are presently no parameters like -Division, -Workplace, or -Nation. And there’s no dynamic membership, you should manually add the customers to the executive unit, which additionally means you should maintain it updated. The -Nation attribute on this weblog is simply used to simply add members to totally different administrative models.

Person Administrator

The requirement is to have a number of consumer account directors just for a subset of customers inside a particular area. This instance permits the privileged consumer “Dominik Hoefling (atwork)” to administrate customers primarily based in US and deny administration for customers positioned in Germany.

Run steps 1 – 5 with a world admin account:

  1. Allow the Person Account Administration Function:
    $UserServiceAdmin = Get-AzureADDirectoryRoleTemplate | The place-Object $_.DisplayName -eq “Person Account Administrator”
    Allow-AzureADDirectoryRole -RoleTemplateId $UserServiceAdmin.ObjectId
    To get an inventory of all accessible position templates, run the Get-AzureADDirectoryRoleTemplate cmdlet.
  2. Create and populate the executive unit:
    New-AzureADAdministrativeUnit -Description “US area” -Displayname “US”
  3. Add consumer “Andreas Bode (Change Lab)” – or all of your customers primarily based within the US – to the executive unit:
    $USAU = Get-AzureADAdministrativeUnit -Filter “displayname eq ‘US’”
    $USUsers = Get-AzureADUser -Filter “UserPrincipalName eq ‘'”
    Add-AzureADAdministrativeUnitMember -ObjectId $USAU.ObjectId -RefObjectId $USUsers.ObjectId
  4. Add US-scoped admin consumer account “Dominik Hoefling (Change Lab)” position member:
    $USUserAdmin = Get-AzureADUser -Filter “UserPrincipalName eq ‘'”
    $USUserAdminRoleMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Mannequin.RoleMemberInfo -Property @ ObjectId = $USUserAdmin.ObjectId
    $UAUserAdmin = Get-AzureADDirectoryRole | The place-Object $_.DisplayName -eq “Person Account Administrator”
    Add-AzureADScopedRoleMembership -RoleObjectId $UAUserAdmin.ObjectId -ObjectId $USAU.ObjectId -RoleMemberInfo $USUserAdminRoleMemberInfo
  5. Get an inventory of US scoped administrative models admins:
    Get-AzureADScopedRoleMembership -ObjectId $USAU.ObjectId | fl
    AdministrativeUnitObjectId : 1141b4e9-a721-4331-afed-c669c7dc53d7
    Id                         : cB-Eb4FD30G02cIJxg1lyum0QREhpzFDr-3GacfcU9eMGzhtFn4BRoGreTM–2HGU
    RoleObjectId               : 6f841f70-4381-41df-b4d9-c209c60d65ca
    RoleMemberInfo             : class RoleMemberInfo

DisplayName: Dominik Hoefling (Change Lab)
ObjectId: 6d381b8c-7e16-4601-81ab-79333efb61c6


  1. After this has been checked, log in to the Workplace 365 admin portal with the “Dominik Hoefling (Change Lab)” account and see what customers and accounts might be managed

Solely members within the administrative unit (step 3) might be considered and edited with the “Person Account Administrator” privileges.

The identical habits applies to Home windows PowerShell:

Set-AzureADUserPassword -ObjectId “f1851b74-617d-40c9-8943-30ac58e84f48” -Password $password
Set-AzureADUserPassword : Error occurred whereas executing SetUser
Code: Authorization_RequestDenied
Message: Inadequate privileges to finish the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Accomplished
At line:1 char:1
+ Set-AzureADUserPassword -ObjectId “f1851b74-617d-40c9-8943-30ac58e84f …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         + CategoryInfo          : NotSpecified: (:) [Set-AzureADUserPassword], ApiException
         + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Consumer.ApiException,Microsoft.Open.AzureAD16.Graph.PowerShell.Customized.C

Helpdesk Administrator

The requirement is to have a number of helpdesk directors for under a subset of customers inside a particular area. You’ll be able to undergo the identical steps to configure the “Person Account Administrator” administrative unit. If required, change the variables or the consumer filter on a unique area, nation or another attribute. You solely must deal with the right ObjectId’s of the executive unit, admin position and your customers.

Change On-line Delegation

To start with, it’s not doable to create different administrative unit admin roles on the time of writing. For instance, if you wish to add the scoped position membership to the “Change Service Administrator”, you’ll obtain the next error message:

Error Message code

Hopefully Microsoft will add extra granular privileged admin roles sooner or later.

Nonetheless, you’ll be able to scope Change On-line Function Primarily based Entry Management (RBAC) administration roles to an administrative unit. On this instance, we’re utilizing the built-in “Mail Recipients” position and delegating the admin position to the “Dominik Hoefling (Change Lab)” admin who can administrate solely US-users inside the previously created administrative unit.

  1. change On-line Distant PowerShell
  2. Assign the “Mail Recipients” position to the executive unit:
    New-ManagementRoleAssignment -Function “Mail Recipients” -RecipientAdministrativeUnitScope $USAU.ObjectId -Person
  1. The admin from Change Lab can solely handle mailboxes inside the Azure Lively Listing administrative unit:
    Exchange Lab screenshot
    Left image: at work (Germany) – no properties might be edited
    Proper image: Change Lab (US) – properties primarily based on the Mail Recipients position might be edited


Word: The documentation from 07/10/2017 shouldn’t be appropriate as a result of the parameter -DirectoryRole isn’t working, additionally for the newest AzureAD PowerShell module. Thus, I grabbed the ObjectId of the DirectoryRoleTemplate and move it in as a string.


Azure Lively Listing administrative models are a very good step ahead, however they undoubtedly want some extra granular privileged admin roles that can be utilized with different Workplace 365 purposes and workloads (i.e. license administration primarily based on totally different corporations and/or nations. As for now, you’ll be able to scope the built-in roles “Person Account Administration” and “Helpdesk Administrator”). For Change On-line, you’ll be able to scope RBAC to administrative models as nicely, which implies you’ll be able to cowl largely each requirement and workload at the very least for Change.

Get started with Mailscape 365

#Delegated #Administration #Azure #Lively #Listing #Admin #Items

Related articles


Leave a reply

Please enter your comment!
Please enter your name here

Skip to toolbar