Blog Post

Microsoft Entra Blog
2 MIN READ

Azure AD RBAC: Dynamic administrative units now in public preview for users & devices

Alex Simons (AZURE)'s avatar
Apr 12, 2022

Howdy folks,

 

As part of our series of announcements for Azure Active Directory (Azure AD) role-based access control (RBAC), I’m excited to share the public preview of dynamic administrative units.

 

With dynamic administrative units, you no longer have to manually manage membership of your administrative units (or write your own automation to manage it for you). Instead, Azure AD allows you to specify a query based on user or device attributes, and then maintains the membership for you.

 

Let's take a look at some of the cool things you can do with these new capabilities:

 

 

 

 And you can check out the other announcements in the series here:

 

Create a rule for easy user membership management

To create a dynamic membership rule, go to an administrative unit and click on the Properties tab. In this example, we have an administrative unit representing the Human Resources department.

 

On the Properties blade, set the Membership Type to Dynamic User. Then click Add dynamic query to create a dynamic rule.

 

 

Here we’ve used the rule builder to create a basic rule which includes all users whose department is “Human Resources.” You can also build more complex rules using the same syntax you use for dynamic groups (see this page for details on how to do so).

 

 

Once you’ve created the rule, click Save to save the rule syntax. Then, click Save again on the Properties blade to save the membership changes to the administrative unit. Within a few minutes, the dynamic groups engine will start to populate the administrative unit with the users that match the rule.

 

 

Now, you can go to the Roles and administrators tab to delegate administrative roles over the administrative unit and be assured that the scope will be automatically kept up to date by the dynamic membership engine.

 

In this example, we’re delegating the ability to manage passwords for employees in the Human Resources department by assigning the Password Administrator role scoped to the Human Resources administrative unit.

 

 

Note: We highly recommend assigning the Password Administrator role as an eligible assignment through Privileged Identity Management.

For more information on dynamic administrative units, check out our documentation.

 

What’s next

Moving forward, we’re looking at adding support for both users and devices in the same dynamic administrative unit and offering additional properties from which you can build dynamic queries. We're also working on more great features in the Azure AD RBAC area related to administrative units and custom roles. Stay tuned for coming announcements.

 

Best regards, 

Alex Simons (Twitter: @Alex_A_Simons)

Corporate VP of Program Management 

Microsoft Identity Division

 

 

Learn more about Microsoft identity:

Updated Apr 11, 2022
Version 1.0
  • Are there any examples of a useful device query for an enterprise environment?  AUs are intended to divide administration amongst different admins. How is someone expected to tag a device to allow a query to distribute devices across various AUs? The available attributes are either device-specific like deviceId, not significant like deviceManufacturer or apparently unusable like systemLabels. (Quote from Rules for dynamically populated groups membership - Azure AD | Microsoft Docs "systemlabels is a read-only attribute that cannot be set with Intune.")

    I don't see any way to put a fleet of devices into different buckets that a dynamic device AU query can utilize.

  • High time😁👍

    But how do we get customers to sort out the very often garbage quality of the data in the directory be it AD DS or AAD?

     

    They are missing out so many amazing features because they are unwilling or unable to fix the data problem... Everyone thinks it's someone elses problem...

    This has been an issue for ever

  • giladkeidar's avatar
    giladkeidar
    Brass Contributor

    dloder you so correct. 
    seems like they just apply dynamic group functionality on AU. 


    I think the only real way to dynamically scope devices to AUs is by taking the device owner value as an attribute (and to apply that logic in dynamic group too). 


    at the moment we are using different Autopit profiles (per site/country etc) and using the profile name as an attribute for dynamic group (but surly this way has many requirements). 

    dloder  btw: when creating AU it automatically assigns common AAD roles, one of them is SharePoint admin, is that means user will have admin rights only on SharePoint settings that belongs to their AU (didn’t test it I wasn’t sure how that’s possible)

     

  • derekuoft's avatar
    derekuoft
    Copper Contributor

    What would be awesome is if you could scope the group management rights to a subset of identities. If having group administrator role means the ability to add any identity to a group, that is still a security issue that prevents this role from being delegated. 

  • broonstar's avatar
    broonstar
    Copper Contributor

    How about a membership of "Dynamic Group" so you can add groups the admin unit?