Delegate and restrict authorizations in Azure AD
Temporary Admin
In the Microsoft world of Azure and Microsoft 365, especially, Azure Active Directory (AD) is an important component for authenticating users. By synchronizing with Active Directory, organizations can also synchronize on-premises credentials to the cloud, enabling single sign-on (SSO) scenarios.
As with Active Directory, you need to keep accounts in Azure AD organized and delegate the management of various tasks. Organizational units (OUs) are used for this purpose in Active Directory; Azure AD has something similar to OUs called administrative units (AUs). In this article I'll show you how to work with AUs for a better way to delegate cloud directory authorizations. Although in general the AUs in Azure AD correspond to the OUs in Active Directory, the two differ significantly. In contrast to AD, the authorization structures in Azure AD are very flat, and restricting them is a complex process. Administrative units and role-based authorizations can be the solution.
Security with Roles in Azure AD
Administrative units are intended to help improve the structure in Azure AD in a similar way that OUs do in Active Directory. Administrative units are available on the Azure portal under Azure Active Directory . They can also be configured in the Azure Active Directory admin center by selecting Azure Active Directory | Administrative units (Figure 1).
In Azure, authorizations for all resources can be mapped with a role-based authorization structure. You need to restrict the authorizations for administrators so that only those who are genuinely necessary are allowed, which complicates the configuration to some extent but significantly improves security. Administrative units work in combination with role-based access control (RBAC), which means you can assign roles to the AUs and then map them to users, groups, and devices. The Azure AD objects to which the AU is linked can be managed by the users who are members of the roles, which in turn are linked to the AU.
After clicking on a user account, you can go to the Users section and click Assigned Roles to control which authorizations belong to the subscription. If you click on a role when managing the assigned roles, you then see all the user accounts assigned to this role. The possibility of working with Privileged Identity Management in Azure AD is also interesting. Doing so lets you designate users who are authorized to perform administrative tasks only for a certain period of time. You can then assign these roles to administrative units.
Isolating Users
Administrative units basically help you control and restrict the type of administrative access for admins. The purpose is to isolate specific users and groups and their devices from the admin groups. Administrative units let you create administration containers and a logical structure of authorizations in Azure AD. The scope of the admins' permissions can be flexibly controlled with AUs.
Administrative units let you control authorizations for users and groups, and you can even configure access to devices in the preview. In the Azure AD admin center, you can use the Devices menu item to check which devices are currently logged in to Azure AD, as well as devices that are connected to, but not managed by or compliant with, the stored policies. All devices lets you see whether all the devices are still required at any time.
For security reasons, it may make sense to remove devices that are no longer needed. At this point, you can also adjust settings of the devices and define who is allowed to connect how many devices to your Azure AD. To do so, call up the Device settings menu item where you can link the devices found there to create new AUs and delegate the management tasks after doing so. It is also possible to connect computers dynamically (i.e., on the basis of their attributes).
Creating, Customizing, and Managing AUs
To create and control management entities and their associated objects, you need to familiarize yourself with the various management tools in Azure. They also play an important role for Microsoft 365. Web portals are used to control most options for managing Azure, Azure AD, and therefore the management entities.
To manage Azure AD, Microsoft 365, and Azure, you need to know the various URLs, and maybe even save them as favorites, to access the various management portals directly. The most important portals are shown in Table 1.
Table 1
Microsoft Portals
Portal | URL |
---|---|
Management Portal | |
Microsoft Azure | https://portal.azure.com |
Azure AD admin center | https://aad.portal.azure.com |
Microsoft 365 admin center | https://admin.microsoft.com |
Microsoft Teams admin center | https://admin.teams.microsoft.com |
Microsoft Exchange admin center | https://admin.exchange.microsoft.com |
SharePoint admin center | https://admin.microsoft.com/sharepoint |
Microsoft Endpoint Manager admin console | https://endpoint.microsoft.com |
Azure Cloud Shell | https://shell.azure.com |
Azure subscriptions | https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade |
User Portal | |
Azure AD user self-service | https://myaccount.microsoft.com |
Microsoft user account | https://account.microsoft.com |
For AUs, you would either use the Azure portal and call up Azure Active Directory there or use the Azure AD admin center from the outset, where Add gives you a quick and easy approach to creating new management entities. The first step is to define the name of the administrative unit. You can then specify which administrator roles you want to assign to the AU under Assign roles (Figure 2). The process is not complicated and you can always customize the roles assigned to an AU.
For each role, the Description column shows which authorizations it has and the tasks for which it can be used. You can then assign user accounts to the individual roles, which are created in the respective client. After assigning roles to the new administrative unit, you can then create them.
The AU can then be viewed from the Administrative units menu item, where you can adjust the settings at any time and assign users, groups, devices, and roles (Figure 3). These objects can then be managed by the users who are members of the administrative roles; in turn, these roles are part of the management entity. Static assignments are possible at this point, but you can also manage AUs dynamically.
Buy this article as PDF
(incl. VAT)