Wednesday 17 June 2020

Using Azure Administrative Units

Introduction

Administrative Units are a great way to logically manage the administration of various departments in your organisation and also to delegate administrative privileges to particular members of each department.

In this article we go through the process of creating Administrative Units for a hypothetical book store organisation called Great Books.  This store has two administrative departments, one for books of fiction and one for books of non fiction.  We will create the following objects.


  • A user called FictionClerk for the fiction department.
  • A user called NonFictionClerk for the non fiction department
  • A departmental administrator called FictionAdmin for the fiction department
  • A departmental administrator called NonFictionAdmin for the non fiction department.
  • A group called Great Books of Fiction (optional)
  • A group called Great Books of Non Fiction (Optional)
  • An Administrative Unit called Non Fiction Unit
  • An Administrative Unit called Fiction Unit
  • Populate the Administrative Units with their respective groups
  • Populate the Administrative Units with their respective users
  • Configure the Roles and Administrators for each Administrative Units
  • Apply the correct license for each Unit Administrator.

We will then test a scenario where the FictionAdmin attempts to reset a password for the FictionClerk.  And we will then test the scenario where the FictionAdmin attempts to reset a password for the NonFictionClerk

Create the Users

Open your Azure Portal and navigate to Azure Active Directory All Users and click on New User to create the FictionAdmin user as follows.

User name: FictionAdmin
Name: FictionAdmin
Password: Let me create the password (and set it as desired)
Block Sign in: No
Usage location: United Kingdom




Click on Create and the FictionAdmin user is created.  Do the same for the FictionClerk, NonFictionClerk and NonFictionAdmin users.

Create the Groups

In the Azure portal navigate to Group\All Groups and click on New Group.

Create the Great Books of Fiction group as follows:

Membership type: Assigned
Source: Cloud
Type: Security
Members: FictionAdmin, FictionClerk




Create the Great Books of Non Fiction group as follows:

Membership type: Assigned

Source: Cloud
Type: Security
Members: NonFictionAdmin, NonFictionClerk

Create the Administrative Units


Navigate to Administrative Units (Preview)  and click on Add and create the Non Administrators Unit as follows:

Name: Non Fiction Unit
Description: Non Fiction Unit




Create the Fiction unit as follows:

Name: Fiction Unit

Description: Fiction Unit

Populate the Administrative Units with their respective groups

Navigate to Administrative Units (Preview) and click on the Fiction Unit and click on Groups and click on Add and ensure that the Great Gooks of Non Fiction group is added.
Likewise Navigate to Administrative Units (Preview) and click on the  Fiction Unit and click on Groups and click on Add and ensure that the Great Gooks of Fiction group is added.

Populate the Administrative Units with their respective users

Navigate to Administrative Units (Preview) and click on the  Fiction Unit and click on Users and click on Add Member and ensure that the FictionClerk user is added.


Similarly do the same on the Non Fiction Unit, ensuring that the NonFictionClerk account is added to the Users of the Administrative Unit.

Configure the Roles and Administrators

Navigate to Administrative Units (Preview) and select the Fiction Unit and click on Roles and administrators (Preview)

Click on the Password administrator role and then click on Add assignments and select the FictionAdmin user.



Click on Add and the FictionAdmin user is added to the Password Administrator role.



Complete the above also for the Non Fiction Unit ensuring that theNonFictionAdmin user is added to the Password Administrator Role


Apply the License for each Administrative Unit administrator

Navigate to All Users and select the FictionAdmin account and click on Licenses.  Click on Assignments and under Select Licenses click on  Active Directory Premium and ensure that the respective license option service is selected.




Repeat the above for the FictionClerk account, as well as the NonFictionAdmin and NonFictionClerk accounts.

Test Scenario - The FictionAdmin resets a password for the FictionClerk account

Login into the Azure portal with the FictionAdmin account and navigate to Azure Active Directory and Users and select the FictionClerk User




Click on Reset password, the following message appears

A temporary password is then presented for the FictionClerk user.

Test Scenario - The FictionAdmin resets a password for the  NonFictionClerk account

Login into the Azure portal with the FictionAdmin account and navigate to Azure Active Directory and Users and select the NonFictionClerk User account.

Click on Reset password.  A message appears stating that this operation is not possible.





No comments:

Post a Comment