News

Microsoft Previews Dynamic Administrative Units with Azure Active Directory

• By Kurt Mackie
• 04/14/2022

Microsoft this week announced a preview of dynamic administrative units, which facilitates matters for IT pros overseeing Azure Active Directory.

IT pros already can specify administrative units, which are used to "restrict permissions in a role to any portion of your organization that you define," per a Microsoft document description of administrative units. "An administrative unit can contain only users, groups, or devices," it added. Currently, it's possible to manually add or remove users, devices or groups in administrative units.

Dynamic Administrative Units
The dynamic administrative units capability, now available at preview, lets IT pros set up rules that automatically perform additions and removals for users or devices. Groups aren't supported at present.

"Administrative units with dynamic membership rules for groups are currently not supported," Microsoft's document on dynamic membership rules stated.

Moreover, the dynamic administrative units preview capability will just work for one object type (namely "users" or "devices") but not both. However, Microsoft is considering adding support for "both users and devices in the same dynamic administrative unit" in some future release, per the announcement.

Microsoft's example of using dynamic administrative units is to delegate the ability to manage employee passwords to a human resources department, which is set up as an administrative unit, as shown in an accompanying video. The rule that's set for a dynamic administrative unit will automatically account for permission changes as people join or leave the Human Resources department, per Microsoft's example.

IT pros can use the Azure Portal, the Microsoft Graph API or PowerShell to set rules for dynamic administrative units, according to Microsoft's document on dynamic membership rules.

Licensing Requirements
The licensing requirements for using dynamic administration units are rather tricky compared with using administrative units in a manual way. Here's how it was expressed in Microsoft's administrative units document:

Using administrative units requires an Azure AD Premium P1 license for each administrative unit administrator, and an Azure AD Free license for each administrative unit member. If you are using dynamic membership rules for administrative units, each administrative unit member requires an Azure AD Premium P1 license.

In other words, members of dynamic administrative units can't use the free license, but are required to have Azure AD Premium P1 licenses. An organization with "1,000 unique users in all dynamic administrative units" would require "at least 1,000 licenses for Azure AD Premium P1," according to Microsoft's document on dynamic membership rules.

More To Come
The dynamic administrative units preview announcement is part of a series on role-based access control enhancements for Azure AD users coming from Microsoft.

Last month, Microsoft announced the commercial release of a "custom roles for delegated app management" capability. More Azure AD developments on role-based access control for administrative units and custom roles will be coming, Microsoft promised.