(Password reset) An example of how you can use Administrative Units in Azure Active Directory!

MVP

 

Hi Azure / Microsoft365 friends,

 

This scenario is about assigning an elevated right (an administrative role) for a specific area. More precisely, to an administrative unit (You need Azure Active Directory Premium P1 for Administrative Units!). I will explain exactly what I mean by this in a moment.

 

I am in the Azure Active Directory.

AU_01.JPG

 

I navigate to the users.

AU_02.JPG

 

I select the "Jane Ford".

AU_03.JPG

 

I click on Assigend Roles on the left.

AU_04.JPG

 

At "Select role" I choose the "Password Administrator".

AU_05.JPG

 

In your case, the view may be somewhat different. For me, Privileged Identity Management is enabled. I select Eligible for Assignment Type and select Assign.

AU_06.JPG

 

Now we see why I don't want to work with the permission assignment, the area is too "open".

AU_07.JPG

 

Now the Administrative units come into play. I go back to Azure Active Directory and click on Administrative Units.

AU_08.JPG

 

Click on "add".

AU_09.JPG

 

We assign a name and click next.

AU_10.JPG

 

Click on "Password Administrator".

AU_11.JPG

 

I search "Jane Ford" and click "add".

AU_12.JPG

 

Now click on "Review + create.

AU_13.JPG

 

The Administrative Unit is created. Click on the Administrative Unit.

AU_14.JPG

 

Click on Users and "Add member".

_AU_1.JPG

 

Select the users for whom Jane Ford is allowed to reset the password.

_AU_2.JPG

 

The users are now listed.

_AU_2a.JPG

 

We go back to the Azure Active Directory and click on "Users".

AU_18.JPG

 

I select the "Jane Ford" again.

AU_19.JPG

 

Click on "Assigned Roles".

AU_20.JPG

 

You see, now the Jane Ford has the role "Password Administrator but no longer on the entire directory but only on the Administrative Unit. Mission accomplished!

AU_21.JPG

 

But now, how exactly can the Jane Ford reset the passwords for the selected users? For this we (i.e. the Jane Ford) use the following URL on: mystaff.microsoft.com (Jane Ford needs to sign up). 

 

Subsequently, Jane Ford sees the Administrative Unit.

_AU_3.JPG

 

Now click on Administrative Unit. The users are displayed.

_AU_4.JPG

 

Now click on Jon Prime and the password can be reset!

_AU_5.JPG

 

I absolutely aware that this was now not the absolute ultimate! But I really wanted to share my experience with you.

 

Thank you for taking the time to read the article and I hope this article was useful.

 

Best regards, Tom Wechsler

 

2 Replies
Hi Tom,

Great guide, exactly what we need for a customer right now. Any idea if this can be implemented with custom Exchange admin roles?

Thanks in advance.
Thank you very much. Only a few admin roles are available at this time.