Lead Image © lassedesignen, 123RF.com

Lead Image © lassedesignen, 123RF.com

Delegate and restrict authorizations in Azure AD

Temporary Admin

Article from ADMIN 73/2023
Azure AD is one of the most important authentication services for cloud environments. We show you how to delegate authorizations in Azure AD to ensure better security.

In the Microsoft world of Azure and Microsoft 365, especially, Azure Active Directory (AD) is an important component for authenticating users. By synchronizing with Active Directory, organizations can also synchronize on-premises credentials to the cloud, enabling single sign-on (SSO) scenarios.

As with Active Directory, you need to keep accounts in Azure AD organized and delegate the management of various tasks. Organizational units (OUs) are used for this purpose in Active Directory; Azure AD has something similar to OUs called administrative units (AUs). In this article I'll show you how to work with AUs for a better way to delegate cloud directory authorizations. Although in general the AUs in Azure AD correspond to the OUs in Active Directory, the two differ significantly. In contrast to AD, the authorization structures in Azure AD are very flat, and restricting them is a complex process. Administrative units and role-based authorizations can be the solution.

Security with Roles in Azure AD

Administrative units are intended to help improve the structure in Azure AD in a similar way that OUs do in Active Directory. Administrative units are available on the Azure portal under Azure Active Directory . They can also be configured in the Azure Active Directory admin center by selecting Azure Active Directory | Administrative units (Figure 1).

Figure 1: Administrative units in Azure AD correspond to the organizational units of Active Directory. Management is through the Azure portal.

In Azure, authorizations for all resources can be mapped with a role-based authorization structure. You need to restrict the authorizations for administrators so that only those who are genuinely necessary are allowed, which complicates the configuration to some extent but significantly improves security. Administrative units work in combination with role-based access control (RBAC), which means you can assign roles to the AUs and then map them to users, groups, and devices. The Azure AD objects to which the AU is linked can be managed by the users who are members of the roles, which in turn are linked to the AU.

After clicking on a user account, you can go to the Users section and click Assigned Roles to control which authorizations belong to the subscription. If you click on a role when managing the assigned roles, you then see all the user accounts assigned to this role. The possibility of working with Privileged Identity Management in Azure AD is also interesting. Doing so lets you designate users who are authorized to perform administrative tasks only for a certain period of time. You can then assign these roles to administrative units.

Isolating Users

Administrative units basically help you control and restrict the type of administrative access for admins. The purpose is to isolate specific users and groups and their devices from the admin groups. Administrative units let you create administration containers and a logical structure of authorizations in Azure AD. The scope of the admins' permissions can be flexibly controlled with AUs.

Administrative units let you control authorizations for users and groups, and you can even configure access to devices in the preview. In the Azure AD admin center, you can use the Devices menu item to check which devices are currently logged in to Azure AD, as well as devices that are connected to, but not managed by or compliant with, the stored policies. All devices lets you see whether all the devices are still required at any time.

For security reasons, it may make sense to remove devices that are no longer needed. At this point, you can also adjust settings of the devices and define who is allowed to connect how many devices to your Azure AD. To do so, call up the Device settings menu item where you can link the devices found there to create new AUs and delegate the management tasks after doing so. It is also possible to connect computers dynamically (i.e., on the basis of their attributes).

Creating, Customizing, and Managing AUs

To create and control management entities and their associated objects, you need to familiarize yourself with the various management tools in Azure. They also play an important role for Microsoft 365. Web portals are used to control most options for managing Azure, Azure AD, and therefore the management entities.

To manage Azure AD, Microsoft 365, and Azure, you need to know the various URLs, and maybe even save them as favorites, to access the various management portals directly. The most important portals are shown in Table 1.

Table 1

Microsoft Portals

Portal URL
Management Portal
     Microsoft Azure https://portal.azure.com
     Azure AD admin center https://aad.portal.azure.com
     Microsoft 365 admin center https://admin.microsoft.com
     Microsoft Teams admin center https://admin.teams.microsoft.com
     Microsoft Exchange admin center https://admin.exchange.microsoft.com
     SharePoint admin center https://admin.microsoft.com/sharepoint
     Microsoft Endpoint Manager admin console https://endpoint.microsoft.com
     Azure Cloud Shell https://shell.azure.com
     Azure subscriptions https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade
User Portal
     Azure AD user self-service https://myaccount.microsoft.com
     Microsoft user account https://account.microsoft.com

For AUs, you would either use the Azure portal and call up Azure Active Directory there or use the Azure AD admin center from the outset, where Add gives you a quick and easy approach to creating new management entities. The first step is to define the name of the administrative unit. You can then specify which administrator roles you want to assign to the AU under Assign roles (Figure 2). The process is not complicated and you can always customize the roles assigned to an AU.

Figure 2: Assigning the administrator roles for a new administrative unit.

For each role, the Description column shows which authorizations it has and the tasks for which it can be used. You can then assign user accounts to the individual roles, which are created in the respective client. After assigning roles to the new administrative unit, you can then create them.

The AU can then be viewed from the Administrative units menu item, where you can adjust the settings at any time and assign users, groups, devices, and roles (Figure 3). These objects can then be managed by the users who are members of the administrative roles; in turn, these roles are part of the management entity. Static assignments are possible at this point, but you can also manage AUs dynamically.

Figure 3: Customizing the management entities in Azure AD.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=