Packt+ | Advance your knowledge in tech

You're reading from Mastering Identity and Access Management with Microsoft Azure. - Second Edition

Product type Book

Published in Feb 2019

Publisher Packt

ISBN-13 9781789132304

Pages 698 pages

Edition 2nd Edition

Languages

Concepts

Identity Management

Author (1):

Jochen Nickel

Table of Contents (23) Chapters

Title Page

About Packt

Contributors

Preface

1. Building and Managing Azure Active Directory

2. Understanding Identity Synchronization

3. Exploring Advanced Synchronization Concepts

4. Monitoring Your Identity Bridge

5. Configuring and Managing Identity Protection

6. Managing Authentication Protocols

7. Deploying Solutions on Azure AD and ADFS

8. Using the Azure AD App Proxy and the Web Application Proxy

9. Deploying Additional Applications on Azure AD

10. Exploring Azure AD Identity Services

11. Creating Identity Life Cycle Management in Azure

12. Creating a Security Culture

13. Identifying and Detecting Sensitive Data

14. Understanding Encryption Key Management Strategies

15. Configuring Azure Information Protection Solutions

16. Azure Information Protection Development

1. Other Books You May Enjoy

Leave a review - let other readers know what you think

Index

Assign roles to administrative units

To delegate tasks, we use the creation of administrative units (AUs) and assign roles for specific tasks. In this configuration, we generate an HR [AU] , and we assign the manager of the HR department with the role to manage user accounts in this scope.

Creating an administrative unit

First of all, we need to connect to our Azure AD with the PowerShell cmdlet Connect-AzureAD for the admin@domain.onmicrosoft.com user.

Use the following cmdlets to create the HR [AU]:

New-AzureADAdministrativeUnit -Description "Human Resources Users" -DisplayName "HR"

View the expected output:

Newly created administrative unit

Next, we will add the related users.

Adding users to an administrative unit

Next, we add the users of the HR department to the HR [AU]. Use the following cmdlets to do this:

$HRAU = Get-AzureADAdministrativeUnit -Filter "displayname eq 'HR'"
$initialDomain = (Get-AzureADDomain)[0].Name
$HRUser1 = Get-AzureADUser -Filter "UserPrincipalName eq 'don.hall@$InitialDomain'"
$HRUser2 = Get-AzureADUser -Filter "UserPrincipalName eq 'ellen.adams@$InitialDomain'"
Add-AzureADAdministrativeUnitMember -ObjectId $HRAU.ObjectId -RefObjectId $HRUser1.ObjectId
Add-AzureADAdministrativeUnitMember -ObjectId $HRAU.ObjectId -RefObjectId $HRUser2.ObjectId
Get-AzureADAdministrativeUnitMember -ObjectId $HRAU.ObjectId | Get-AzureADUser

The output of the preceding command is as follows:

Newly added users overview

Next, we will use the scoping options.

Scoping administrative roles

In the next step, we assign the user account administrator role. Verify available roles with the following cmdlet:

Get-AzureADDirectoryRoleTemplate

Now, we enable the user account administrator role with the following cmdlet:

Enable-AzureADDirectoryRole -RoleTemplateId fe930be7-5e62-47db-91af-98c3a49a38b1

Set variables and assign the user to the role:

$admins = Get-AzureADDirectoryRole
foreach($i in $admins) {
    if($i.DisplayName -eq "User Account Administrator") {
        $uaAdmin = $i
       }
    }

$HRUA = Get-AzureADUser -Filter "UserPrincipalName eq 'Don.Hall@$InitialDomain'"
$uaRoleMemberInfo = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo -Property @{ ObjectId = $HRUA.ObjectId }
Add-AzureADScopedRoleMembership -RoleObjectId $uaAdmin.ObjectId -ObjectId $HRAU.ObjectId -RoleMemberInfo $uaRoleMemberInfo

The output of the preceding command is as follows:

User Account Administrator assignment

Next, we will test our configuration.

Test your configuration

Open a new PowerShell and connect with the Connect-MsolService command to the Azure AD, and log in with Don.Hall@domain.onmicrosoft.com credentials.

Modify a user account assigned to the HR administrative unit:

Set-MsolUser -UserPrincipalName ellen.adams@domain.onmicrosoft.com -Department HR

Verify your modification:

Get-MsolUser -UserPrincipalName ellen.adams@domain.onmicrosoft.com | select Department

Next, we will protect an administrative account with the Privileged Identity Management (PIM) features of Azure AD Premium P2. We recommend using Azure MFA to protect your administrative accounts, if you don't want to invest in Azure AD Premium P2.