Introduction
Entra ID offers a feature called Administrative Units, which act as containers for Entra ID resources. They allow you to group together users, groups, and other resources, which is particularly useful for larger organizations that require a way to delegate administrative tasks to different departments or teams.
An enhanced version of Administrative Units, known as Restricted Management Administrative Units, provides an additional layer of security for privileged accounts by restricting who can manage these accounts. This blog post will guide you through the process of creating and managing these units using PowerShell.
Before you continue, I recommend reading my previous posts about the Restricted Management Units:
- Auditing Role Assignments of Entra ID Restricted Management Administrative Units with PowerShell – Kaido Järvemets (kaidojarvemets.com)
- New Video Tutorial: Mastering Restricted Management Administrative Units in Entra ID – Kaido Järvemets (kaidojarvemets.com)
- Understanding and Implementing Restricted Management Administrative Units in Entra ID – Kaido Järvemets (kaidojarvemets.com)
Microsoft Graph PowerShell Module Commands
Connect to Microsoft Graph
Before we start, we need to connect to Microsoft Graph using the following command:
Connect-MgGraph -Scopes "AdministrativeUnit.ReadWrite.All,Directory.Read.All"
Creating a Standard Administrative Unit
To create a standard Administrative Unit, we can use the New-MgDirectoryAdministrativeUnit cmdlet.
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
$CloudAdminsRMUProperties = @{
DisplayName = "RMU - Cloud Administrators"
Description = "Azure AD Cloud Administrators"
Visibility = "HiddenMembership"
}
$CreateCloudAdminsRMU = New-MgDirectoryAdministrativeUnit -BodyParameter $CloudAdminsRMUProperties
$CreateCloudAdminsRMU | Format-List
Removing an Administrative Unit
To remove an Administrative Unit, you can use the Remove-MgDirectoryAdministrativeUnit cmdlet with the UnitId value:
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
Remove-MgDirectoryAdministrativeUnit -AdministrativeUnitId 741ee58a-f2ce-41a5-866c-8d0085ddb697
Creating a Restricted Administrative Unit
Creating a Restricted Administrative Unit is similar to creating a standard one, but with an additional parameter IsMemberManagementRestricted set to $true:
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
$CloudAdminsRMUProperties = @{
DisplayName = "RMU - Cloud Administrators"
Description = "Entra ID Cloud Administrators"
Visibility = "HiddenMembership"
IsMemberManagementRestricted = $true
}
$CreateCloudAdminsRMU = New-MgDirectoryAdministrativeUnit -BodyParameter $CloudAdminsRMUProperties
$CreateCloudAdminsRMU | Format-List
Getting Specific Administrative Unit
To get a specific Administrative Unit, use the Get-MgDirectoryAdministrativeUnit cmdlet with a filter on the DisplayName:
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
$RMAUGlobalAdministrators = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'RMAU - Global Administrators'"
$RMAUGlobalAdministrators | Format-List
Listing All Administrative Units
To list all the Administrative Units, use the Get-MgDirectoryAdministrativeUnit cmdlet and format the output as a table:
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
Get-MgDirectoryAdministrativeUnit | Format-Table -Property DisplayName,Description,Id
Adding a Single User to the Administrative Unit
To add a single user to the Administrative Unit, use the New-MgDirectoryAdministrativeUnitMemberByRef cmdlet:
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
$RMAUGlobalAdministrators = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'RMAU - Global Administrators'"
$User = (Get-MgUser -Filter "userPrincipalName eq 'Adams@M365x45899269.OnMicrosoft.com'").Id
$UsersBody = @{
"@odata.id" = "https://graph.microsoft.com/v1.0/users/$User"
}
New-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $RMAUGlobalAdministrators.Id -BodyParameter $UsersBody
Adding a Single Security Enabled Group to the Administrative Unit
To add a single security-enabled group to the Administrative Unit, use the New-MgDirectoryAdministrativeUnitMemberByRef cmdlet:
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
$RMAUFinanceTeam = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'RMAU - Finance Department'"
$Group = (Get-MgGroup -Filter "displayName eq 'Finance EXEC Team'").Id
$GroupBody = @{
"@odata.id" = "https://graph.microsoft.com/v1.0/groups/$Group"
}
New-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $RMAUFinanceTeam.Id -BodyParameter $GroupBody
Getting Specific Administrative Unit Members
To get specific Administrative Unit Members, use the Get-MgDirectoryAdministrativeUnitMember cmdlet:
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
$RMAUGlobalAdministrators = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'RMAU - Global Administrators'"
$RMAUUnitDetails = Get-MgDirectoryAdministrativeUnitMember -AdministrativeUnitId $RMAUGlobalAdministrators.Id
$RMAUUnitDetails.AdditionalProperties
Adding a User to the Groups Administrator Role
To add a user to the Groups Administrator Role, where the assignment is scoped with the Administrative Unit, you can use the New-MgDirectoryAdministrativeUnitScopedRoleMember cmdlet. Here’s an example:
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
#Add a user to the Groups Administrator Role. Assignment is scoped with the Administrative Unit.
$AADRoleName = "Groups Administrator"
<# Get-MgDirectoryRole cmdlet is only limited with certain roles only and does not list all the roles.
Application Administrator
Security Operator
Intune Administrator
Privileged Role Administrator
Groups Administrator
Azure AD Joined Device Local Administrator
Global Administrator
Search Administrator
Global Reader
Directory Readers
Security Administrator
Azure DevOps Administrator
Security Reader
#>
$AADRoleData = Get-MgDirectoryRole -Filter "displayname eq '$AADRoleName'"
$RMAUGlobalAdministrators = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'RMU - Cloud Administrators'"
$UserData = Get-MgUser -Filter "userprincipalname eq 'Adams@TENANTXXX.OnMicrosoft.com'"
$RoleConfiguration = @{
RoleId = $AADRoleData.id
RoleMemberInfo = @{
Id = $UserData.Id
}
}
New-MgDirectoryAdministrativeUnitScopedRoleMember -AdministrativeUnitId $RMAUGlobalAdministrators.Id -BodyParameter $RoleConfiguration
Listing All Restricted Administrative Units
To list all the Administrative Units where member management is restricted, you can use the Get-MgDirectoryAdministrativeUnit cmdlet with a filter on the IsMemberManagementRestricted property:
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
Get-MgDirectoryAdministrativeUnit -Filter "IsMemberManagementRestricted eq true"
Creating a Dynamic Restricted Administrative Unit
To create a dynamic Restricted Administrative Unit, you can use the New-MgAdministrativeUnit cmdlet. Here’s an example:
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
#Add new Dynamic User based Administrative Unit
$DynamicCloudAdminsRMUProperties = @{
DisplayName = "RMU Dynamic - Cloud Administrators"
Description = "Azure AD Cloud Administrators"
membershipType = "Dynamic"
membershipRule = "(user.department -eq ""ITSECURITY"")"
membershipRuleProcessingState = "On"
IsMemberManagementRestricted = $true
}
$CreateDynamicCloudAdminsRMU = New-MgAdministrativeUnit -BodyParameter $DynamicCloudAdminsRMUProperties
Notes
MemberOf/microsoft.graph.administrativeUnit
If the User is part of the Restricted Management Unit, then you cant use the MemberOf/microsoft.graph.administrativeUnit to list all the Administrative Units. It only lists the standard ones and not the Restricted.
Get-MgRoleManagementDirectoryRoleEligibilitySchedule and Get-MgRoleManagementDirectoryRoleAssignmentSchedule cmdlet
The Get-MgRoleManagementDirectoryRoleEligibilitySchedule cmdlet shows you all the Eligible assignments, and the output also includes the DirectoryScopeId value. You can use this value to filter the assignments based on the AdministrativeUnitID value.
However, note that while the Get-MgRoleManagementDirectoryRoleAssignmentSchedule cmdlet should show you all the Active assignments, it does not display the DirectoryScopeId value.
Get-MgDirectoryAdministrativeUnitScopedRoleMember cmdlet
Get-MgDirectoryAdministrativeUnitScopedRoleMember cmdlet only lists active members and not eligible ones.
Conclusion
Restricted Management Administrative Units in Entra ID offer a powerful way for organizations to enhance their security posture and streamline administrative tasks. By providing a way to segregate administrative duties and restrict access to sensitive resources, they help organizations maintain a robust and secure environment.
The flexibility of these units allows for a wide range of use cases, from protecting executive accounts to managing external contractors and meeting compliance requirements. Despite certain limitations and constraints, their benefits in terms of security and control are significant.
As organizations continue to adopt cloud services and the complexity of managing identities and access increases, features like Restricted Management Administrative Units will become increasingly important. By understanding and leveraging these features, organizations can ensure they are making the most of what Entra ID has to offer.
Whether you’re a new Entra ID administrator or an experienced professional, I hope this comprehensive guide has provided valuable insights into the use of Restricted Management Administrative Units. As with any features, the key to success lies in understanding its capabilities and knowing how to apply them effectively in your unique environment.
