Dynamic user membership rules, Azure Active Directory Administrative Units and password reset!



Dear Microsoft 365 and Azure Friends,


A customer project involved the following issue. A department manager should be able to reset the passwords for his employees who are in his team. However, the department head does not want to bother with group membership.


To meet this requirement, I worked with the following functions:

- Azure Active Directory administrative units
- Dynamic user membership rules
- Password Administrator Role


Important: Azure Active Directory administrative units are only available with Azure AD Premium P1 (or higher).


In order to work with the Dynamic user membership rules feature, it is important that the profiles are maintained on the accounts. What exactly do I mean by that, for example that the attribute department is "Trading" or the city is "Bern". The more attributes are configured with a value, the more detailed you can work with the "Query Rule". Let me now explain this in detail.


Let's take a look at an Azure AD account, more specifically the profile.



Now it's time to create an Administrative Unit. Let's imagine that Jon Prime is the department manager and he gets the role "Password administrator".



The Administrative Unit is created. Now it is a matter of automatically adding the members from his team (from Jon Prime) to this Administrative Unit. Now let's configure it. The first step is to navigate into the Administrative Unit.


Now Jon Prime can go to the following URL and log in.



For Jon Prime, the Administrative Unit is now visible with the members it contains. He can now reset the password for these members.

Important: But only for these members in this Administrative Unit. Not for any other accounts in the Azure Active Directory.



I hope this article was useful. Thank you for taking the time to read the article.

Best regards, Tom Wechsler


P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

1 Reply

@TomWechsler Your explanation was clear and easy to understand but i ran into an issue when adding groups to the administrative unit. There is no was to dynamically add groups and i cannot add it manually because it's configured with rules. Also when i login to portal.azure.com, i can see all the users. Do you have some suggestions on this? 


Similar to what you did, i am trying to setup AU for specific regions and provide admin rights to specific users so that they can manage their own users, groups and configuration profiles.


Look forward to hearing from you.