Exchange Online and Azure AD Administrative Units (AUs)

Note: This article was first published on www.procloudguru.com by Alpesh .Since the website is down, I am publishing the content here.

This post talks about the Administrative Units in Azure AD. I will also touch upon delegating mail recipients’ task for exchange online for one such similar AU. In an hybrid Exchange scenario where you sync your identities from your on-prem AD to Azure AD its a very important task to achieve to maintain the same level of delegation as you had on-prem for managing exchange mailboxes. You would probably wish to have similar controls delegated to your support staff on Exchange Online as well.

On your on-prem AD you have probably created Organizational Units (OUs) and delegated rights to some users in your organization to allow them manage users/computers or groups. May even be servers. You can leverage upon the same OU structure to allow scoped delegation of administrative tasks on on-Prem exchange. Everything is going as you planned in your current setup and you are happily delegating stuff to your local support teams if you are a global or a regional company.

However, as soon as you setup an hybrid Exchange infra and start moving mailboxes the first hurdle is management of Exchange delegation on the cloud. So how do you delegate similar granular controls on Exchange Online infra as you did on Exchange On-Prem?

The answer is Azure AD Administrative Units. Like what OUs are for On-Prem Active Directory; AUs are for Azure AD. Creation of AUs is fairly simple and so is the delegation for exchange online administration tasks to the Azure AD AUs and scoped role assignments.

Pre-Requisities:

a) Azure AD Premium subscription

b) Global Admin rights on your tenant

c) A good read on the reference articles mentioned in this document

d) New Azure AD Powershell cmdlets to perform the below activities. Read more here

Connecting to Azure AD

Connect-AzureAD

Creating the first Administrative Unit

New-AzureADAdministrativeUnit -Description “Singapore Users” -DisplayName “Singapore Office”

New-AzureADAdministrativeUnit -Description “Hongkong Users” -DisplayName “Hongkong Office”

Get the details of the Administrative Units created

Get-AzureADAdministrativeUnit

ObjectId                                                                   DisplayName          Description

——–                                                                           ———–                    ———–

0140579d-a1a9-479c-a881-09ac2a85652b     Singapore Users     For SG Users

1ee6372d-f547-4abd-b394-80f90d1077bd     Hongkong Users    For HK users

Store the values of User and Administrative Unit in a variable

$admuni = Get-AzureADAdministrativeUnit –Filter “displayName eq ‘Singapore Users’”

$sguser1 = Get-AzureADUser –Filter “userprincipalname eq ‘alpesh.shinde@sguser.com’”

$sguser2 = Get-AzureADUser –Filter “userprincipalname eq ‘eswar.koneti@sguser.com’”

$sguser3 = Get-AzureADUser –Filter “userprincipalname eq ‘rohit.gokhale@sguser.com’”

Add the users to the Administrative Unit

Add-AzureADAdministrativeUnitMember -ObjectId $admuni.objectID -RefObjectId $sguser1.objectid

Add-AzureADAdministrativeUnitMember -ObjectId $admuni.objectID -RefObjectId $sguser2.objectid

Add-AzureADAdministrativeUnitMember -ObjectId $admuni.objectID -RefObjectId $sguser3.objectid

List the existing users who are member of the Administrative Unit

Get-AzureADAdministrativeUnitMember –ObjectID $admuni.objectID

You should see object iDs for the above 3 members.

clip_image001

Get the Existing Azure AD Roles

Get-AzureADDirectoryRole

clip_image002

These are the default Azure AD roles. Exchange Service Administrator is one of them. However, we dont want to grant such an extensive/powerful rights to the delegated Users.

We want them to have for e.g. “Mail Recipients – Recipient Admin” Roles.

Head on to the Exchange Online PowerShell; connect to it and perform the below tasks to assign recipient admin roles to the Singapore Users AU.

Connect-EXOPSSession –UserPrincipalName exchangeadmin@sgusers.com

Validate that Exchange Online can see the Administrative Units. Then validate the user is shown as the Administrative Unit member.

Get-AdministrativeUnit

clip_image003

Get-Mailbox “alpesh.shinde@sgusers.com” | fl name,administrativeunit

clip_image004

Now list all the Exchange Management Roles and Roles Assignments for “Mail Recipients”.

Get-ManagementRoleAssignment -Role “Mail Recipients”

clip_image005

We will now grant “Mail Recipient” Permissions to Test Mobile user 03 for the Singapore Users. If test mobile user 03 logs on to ECP he does not see any recipients.

clip_image006

To grant the user necessary permissions run the command below

New-ManagementRoleAssignment -Role “Mail Recipients” -RecipientAdministrativeUnitScope “6b@@@@ef-@@@@-@@@@-@@@@-@@@@@@b1a26fb” -User delegateadmin@sgusers.com

clip_image007

Now logon with Test Mobile User 03 and check the permissions as compared to earlier screen. Also compare between the users who are member of the AUs and not the member of the AUs. As you can see from the two screen grabs below the first user is not the member of the AU and Test Mobile user is unable to make any changes to the delegation of this user.

However, for “Alpeshkumar Shinde” who is the member of the AU the ability to modify the delegation is available.

clip_image008

clip_image009

Summary:

Administrative Units is quite a powerful feature of Azure AD premium and I am sure it will help most of the organizations with hybrid as well as full cloud deployments to achieve a fine-grained delegation model. This in turn allows them to achieve operational effectiveness by delegating some of the mundane or not so critical tasks to level 1 or level 2 support folks.

As of now I have only explored Exchange online and how AUs can be leveraged upon for the scoping. I will try to further explore this for SFB/Microsoft Teams video/voice integrations so that those who are recipient admins for the mailboxes can also manage user’s audio/video capabilities. I will save that for some other day.

I hope this blog was useful to you and if you have any queries please feel free to reach out to me.

Reference Articles:

https://docs.microsoft.com/en-us/powershell/azure/active-directory/working-with-administrative-units?view=azureadps-2.0

https://technet.microsoft.com/en-us/library/mt432940(v=exchg.160).aspx

https://technet.microsoft.com/en-us/library/dd351024(v=exchg.160).aspx

Featured Image from:

Azure Active Directory from Sovelto

Post Comment