Forum Discussion

Mike_Feihle's avatar
Mike_Feihle
Copper Contributor
Jan 01, 2022

Limiting access based on domain

I have 1 tenant with 12 domains.  I would like to give 1 email account on each domain access to change users under their domain,  but only to their domain.

Possible?

  • Depends on which tasks exactly you are looking to limit (or provide access to). What Microsoft offers in this are is the Administrative units feature, however it's still fairly limited and does not support all workloads or admin roles: https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units
    If you are only looking to do this for Exchange related tasks, the Exchange RBAC model has sufficient controls available to configure this (via the so-called management scopes). If you want a more robust solution across all of M365, your best best is third-party tools, at least for the time being.
    • Mike_Feihle's avatar
      Mike_Feihle
      Copper Contributor

      Thanks for the link.  I need to purchase a license for that, and I won't do that unless I can see how it works.  The documentation is vague.  I see I can create an AU in Azure AD, and assign users to the roles, but, how does that get attached to one of the domains, so when they log into M365 to add/remove/change users and passwords, they only can see the users under that specific domain?

      • VasilMichev's avatar
        VasilMichev
        MVP
        There are plenty of articles detailing how it works out there, I even did some webinars on AUs back in the day. And you can always play with it with a free trial (demo) tenant, as getting your hands dirty is the best way to learn stuff.

        If add/remove/change users and password is all you need here, there is already support for that within the M365 Admin center via AUs already. Still, don't get your hopes too high, as AUs have some limitations. Here's an (outdated) article on how it worked back in the old admin center: https://blog.quadrotech-it.com/blog/working-with-administrative-units-in-the-office-365-admin-center/
  • revix17241's avatar
    revix17241
    Copper Contributor

    Much obliged for the connection. I want to buy a permit for that, and I will not do that except if I can perceive how it functions. The documentation is ambiguous. I see I can make an AU in Azure AD, and appoint clients to the jobs, yet, how does that get joined to one of the areas, so when they sign into M365 to add/eliminate/change clients and passwords, they just can see the clients under that particular space?

Resources