Lead Image © lassedesignen, 123RF.com

Delegate and restrict authorizations in Azure AD

Temporary Admin

Article from ADMIN 73/2023

By Thomas Joos

Azure AD is one of the most important authentication services for cloud environments. We show you how to delegate authorizations in Azure AD to ensure better security.

In the Microsoft world of Azure and Microsoft 365, especially, Azure Active Directory (AD) is an important component for authenticating users. By synchronizing with Active Directory, organizations can also synchronize on-premises credentials to the cloud, enabling single sign-on (SSO) scenarios.

As with Active Directory, you need to keep accounts in Azure AD organized and delegate the management of various tasks. Organizational units (OUs) are used for this purpose in Active Directory; Azure AD has something similar to OUs called administrative units (AUs). In this article I'll show you how to work with AUs for a better way to delegate cloud directory authorizations. Although in general the AUs in Azure AD correspond to the OUs in Active Directory, the two differ significantly. In contrast to AD, the authorization structures in Azure AD are very flat, and restricting them is a complex process. Administrative units and role-based authorizations can be the solution.

Security with Roles in Azure AD

Administrative units are intended to help improve the structure in Azure AD in a similar way that OUs do in Active Directory. Administrative units are available on the Azure portal under Azure Active Directory . They can also be configured in the Azure Active Directory admin center by selecting Azure Active Directory | Administrative units (Figure 1).

...

Use Express-Checkout link below to read the full article (PDF).