Custom roles to new administrative units in preview

%3CLINGO-SUB%20id%3D%22lingo-sub-1364495%22%20slang%3D%22en-US%22%3ERe%3A%20Welcome%20to%20the%20Enable%20secure%20remote%20work%20with%20Azure%20Active%20Directory%20AMA!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364495%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurrently%20working%20with%20the%20new%20administrative%20units%20in%20preview.%20Can%20we%20assign%20custom%20roles%20to%20that%3F%20For%20some%20users%20it's%20difficult%20to%20distinguish%20between%20office%20365%20and%26nbsp%3B%20azure%20roles.%20Is%20there%20some%20documentation%20on%20that%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20looking%20for%20a%20way%20to%20block%20log-ins%20from%20outside%20company%20hq.%20I%20think%20CA%20can%20do%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364503%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20roles%20to%20new%20administrative%20units%20in%20preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364503%22%20slang%3D%22en-US%22%3E%3CP%3EOn%20the%20first%20question%2C%20at%20this%20point%20Admin%20Units%20are%20limited%20to%20a%20few%20roles%20that%20are%20%22aware%22%20of%20the%20Admin%20Units%20concept.%20We%20are%20looking%20into%20extending%20this%20to%20more%20roles%20in%20the%20future.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20the%20second%20question%2C%20here%20is%20some%20documentation%20around%20the%20roles%20available%20in%20Azure%20AD%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-assign-admin-roles%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20the%20third%20question%2C%20yes%20this%20is%20possible%20with%20Conditional%20Access%20but%20we%20do%20recommend%20looking%20into%20going%20towards%20a%20zero%20trust%20model%20rather%20then%20limit%20access%20based%20on%20a%20location.%20Have%20a%20look%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F04%2F30%2Fzero-trust-deployment-guide-azure-active-directory%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F04%2F30%2Fzero-trust-deployment-guide-azure-active-directory%2F%3C%2FA%3E%26nbsp%3Bto%20learn%20mrore%20about%20zero%20trust%20and%20how%20to%20deploy%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi all, 

 

Currently working with the new administrative units in preview. Can we assign custom roles to that? For some users it's difficult to distinguish between office 365 and  azure roles. Is there some documentation on that? 

 

Also looking for a way to block log-ins from outside company hq. I think CA can do this?

1 Reply
Highlighted

On the first question, at this point Admin Units are limited to a few roles that are "aware" of the Admin Units concept. We are looking into extending this to more roles in the future.

 

On the second question, here is some documentation around the roles available in Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-ro...

 

On the third question, yes this is possible with Conditional Access but we do recommend looking into going towards a zero trust model rather then limit access based on a location. Have a look here: https://www.microsoft.com/security/blog/2020/04/30/zero-trust-deployment-guide-azure-active-director... to learn mrore about zero trust and how to deploy it.