This post talks about the Administrative Units in Azure AD. I will also touch upon delegating mail recipients’ task for exchange online for one such similar AU. In an hybrid Exchange scenario where you sync your identities from your on-prem AD to Azure AD its a very important task to achieve to maintain the same level of delegation as you had on-prem for managing exchange mailboxes. You would probably wish to have similar controls delegated to your support staff on Exchange Online as well.
On your on-prem AD you have probably created Organizational Units (OUs) and delegated rights to some users in your organization to allow them manage users/computers or groups. May even be servers. You can leverage upon the same OU structure to allow scoped delegation of administrative tasks on on-Prem exchange. Everything is going as you planned in your current setup and you are happily delegating stuff to your local support teams if you are a global or a regional company.
However, as soon as you setup an hybrid Exchange infra and start moving mailboxes the first hurdle is management of Exchange delegation on the cloud. So how do you delegate similar granular controls on Exchange Online infra as you did on Exchange On-Prem?
The answer is Azure AD Administrative Units. Like what OUs are for On-Prem Active Directory; AUs are for Azure AD. Creation of AUs is fairly simple and so is the delegation for exchange online administration tasks to the Azure AD AUs and scoped role assignments.
a) Azure AD Premium subscription
b) Global Admin rights on your tenant
c) A good read on the reference articles mentioned in this document
d) New Azure AD Powershell cmdlets to perform the below activities. Read more here
Connecting to Azure AD
Creating the first Administrative Unit
New-AzureADAdministrativeUnit -Description “Singapore Users” -DisplayName “Singapore Office”
New-AzureADAdministrativeUnit -Description “Hongkong Users” -DisplayName “Hongkong Office”
Get the details of the Administrative Units created
ObjectId DisplayName Description
——– ———– ———–
0140579d-a1a9-479c-a881-09ac2a85652b Singapore Users For SG Users
1ee6372d-f547-4abd-b394-80f90d1077bd Hongkong Users For HK users
Store the values of User and Administrative Unit in a variable
$admuni = Get-AzureADAdministrativeUnit –Filter “displayName eq ‘Singapore Users’”
$sguser1 = Get-AzureADUser –Filter “userprincipalname eq ‘email@example.com’”
$sguser2 = Get-AzureADUser –Filter “userprincipalname eq ‘firstname.lastname@example.org’”
$sguser3 = Get-AzureADUser –Filter “userprincipalname eq ‘email@example.com’”
Add the users to the Administrative Unit
Add-AzureADAdministrativeUnitMember -ObjectId $admuni.objectID -RefObjectId $sguser1.objectid
Add-AzureADAdministrativeUnitMember -ObjectId $admuni.objectID -RefObjectId $sguser2.objectid
Add-AzureADAdministrativeUnitMember -ObjectId $admuni.objectID -RefObjectId $sguser3.objectid
List the existing users who are member of the Administrative Unit
Get-AzureADAdministrativeUnitMember –ObjectID $admuni.objectID
You should see object iDs for the above 3 members.
Get the Existing Azure AD Roles
These are the default Azure AD roles. Exchange Service Administrator is one of them. However, we dont want to grant such an extensive/powerful rights to the delegated Users.
We want them to have for e.g. “Mail Recipients – Recipient Admin” Roles.
Head on to the Exchange Online PowerShell; connect to it and perform the below tasks to assign recipient admin roles to the Singapore Users AU.
Connect-EXOPSSession –UserPrincipalName firstname.lastname@example.org
Validate that Exchange Online can see the Administrative Units. Then validate the user is shown as the Administrative Unit member.
Get-Mailbox “email@example.com” | fl name,administrativeunit
Now list all the Exchange Management Roles and Roles Assignments for “Mail Recipients”.
Get-ManagementRoleAssignment -Role “Mail Recipients”
We will now grant “Mail Recipient” Permissions to Test Mobile user 03 for the Singapore Users. If test mobile user 03 logs on to ECP he does not see any recipients.
To grant the user necessary permissions run the command below
New-ManagementRoleAssignment -Role “Mail Recipients” -RecipientAdministrativeUnitScope “6b@@@@ef-@@@@-@@@@-@@@@-@@@@@@b1a26fb” -User firstname.lastname@example.org
Now logon with Test Mobile User 03 and check the permissions as compared to earlier screen. Also compare between the users who are member of the AUs and not the member of the AUs. As you can see from the two screen grabs below the first user is not the member of the AU and Test Mobile user is unable to make any changes to the delegation of this user.
However, for “Alpeshkumar Shinde” who is the member of the AU the ability to modify the delegation is available.
Administrative Units is quite a powerful feature of Azure AD premium and I am sure it will help most of the organizations with hybrid as well as full cloud deployments to achieve a fine-grained delegation model. This in turn allows them to achieve operational effectiveness by delegating some of the mundane or not so critical tasks to level 1 or level 2 support folks.
As of now I have only explored Exchange online and how AUs can be leveraged upon for the scoping. I will try to further explore this for SFB/Microsoft Teams video/voice integrations so that those who are recipient admins for the mailboxes can also manage user’s audio/video capabilities. I will save that for some other day.
I hope this blog was useful to you and if you have any queries please feel free to reach out to me.
Featured Image from: