About 2 years ago, Microsoft has introduced administrative units on Azure Active Directory (see https://t.co/hyacW4j9Po for more).
Until now, the membership rule for administrative units was only using direct assignment. Well, today you can now use dynamic rule.
To be able to do so, you need:
- at least Azure AD P1 license for each administrators and unit members (not required to apply the license on the unit members but you need to have to corresponding number of license)
- either Privileged Role Administrator or Global Administrator role
- AzureADPreview PowerShell module if you plan to use PowerShell to implement it
While direct assignment allows you to mix the object types (users, groups or devices) the dynamic membership for administrative units does allow it (yet? – probably preview limitation for now).
If multiple object types need to be member of the administrative unit you have to use multiple dynamic rules.
To implement the dynamic membership with PowerShell use the following commands:
- To create an administrative unit with dynamic rule
$adminUnit = New-AzureADMSAdministrativeUnit –DisplayName <name of the unit> -MembershipType “Dynamic” -MembershipRuleProcessingState “On” -MembershipRule ‘<dynamic query – like (user.country -eq “United States”)>’
- To update an existing unit to use dynamic rule
$adminUnit = Get-AzureADMSAdministrativeUnit –Filter <filter to find the unit>
Set-AzureADMSAdministrativeUnit -Id $adminUnit.Id -MembershipRule ‘<dynamic query – like (user.country -eq “United States”)>’
Using the Azure AD portal (https://aad.portal.azure.com/) it is even easier.
Just access the Azure Active Directory\Administrative units blade to edit the unit you want
Then access the Properties blade and you will be able to switch from Assigned to Dynamic User or Dynamic Device and then add the dynamic query
The dynamic query is similar to the well known now dynamic group.