Forum Discussion

TomWechsler's avatar
Jul 19, 2021

(Password reset) An example of how you can use Administrative Units in Azure Active Directory!

 

Hi Azure / Microsoft365 friends,

 

This scenario is about assigning an elevated right (an administrative role) for a specific area. More precisely, to an administrative unit (You need Azure Active Directory Premium P1 for Administrative Units!). I will explain exactly what I mean by this in a moment.

 

I am in the Azure Active Directory.

 

I navigate to the users.

 

I select the "Jane Ford".

 

I click on Assigend Roles on the left.

 

At "Select role" I choose the "Password Administrator".

 

In your case, the view may be somewhat different. For me, Privileged Identity Management is enabled. I select Eligible for Assignment Type and select Assign.

 

Now we see why I don't want to work with the permission assignment, the area is too "open".

 

Now the Administrative units come into play. I go back to Azure Active Directory and click on Administrative Units.

 

Click on "add".

 

We assign a name and click next.

 

Click on "Password Administrator".

 

I search "Jane Ford" and click "add".

 

Now click on "Review + create.

 

The Administrative Unit is created. Click on the Administrative Unit.

 

Click on Users and "Add member".

 

Select the users for whom Jane Ford is allowed to reset the password.

 

The users are now listed.

 

We go back to the Azure Active Directory and click on "Users".

 

I select the "Jane Ford" again.

 

Click on "Assigned Roles".

 

You see, now the Jane Ford has the role "Password Administrator but no longer on the entire directory but only on the Administrative Unit. Mission accomplished!

 

But now, how exactly can the Jane Ford reset the passwords for the selected users? For this we (i.e. the Jane Ford) use the following URL on: mystaff.microsoft.com (Jane Ford needs to sign up). 

 

Subsequently, Jane Ford sees the Administrative Unit.

 

Now click on Administrative Unit. The users are displayed.

 

Now click on Jon Prime and the password can be reset!

 

I absolutely aware that this was now not the absolute ultimate! But I really wanted to share my experience with you.

 

Thank you for taking the time to read the article and I hope this article was useful.

 

Best regards, Tom Wechsler

 

  • teddanioni's avatar
    teddanioni
    Copper Contributor
    Hi Tom,

    Great guide, exactly what we need for a customer right now. Any idea if this can be implemented with custom Exchange admin roles?

    Thanks in advance.
    • TomWechsler's avatar
      TomWechsler
      MVP
      Thank you very much. Only a few admin roles are available at this time.

Resources