Gone are the days that I could start a workshop, session, or training with: “Do you know the big difference between Active Directory and Azure Active Directory? Azure AD is flat, where AD is not.” Well…… If there is one thing I’ve learned over the last years: it’s hard to do Zero Trust in a flat landscape. Lucky for us, we have Administrative Units nowadays.
I really love Administrative Units (AUs) as they bring scoping to Azure AD. Until recently, AUs could only be static, but now this feature is heavily integrated with dynamic groups, meaning we can create AUs based on user and device attributes. Today, we are going to look at one attribute in particular: onPremisesDistinguishedName
The public preview of dynamic administrative units now supports the onPremisesDistinguishedName property for users. This makes it possible to create dynamic rules which incorporate the organizational unit of the user from on-premises AD.
How to find the attribute
The onPremisesDistinguishedName attribute can be found in on-prem AD, after enabling the advanced features in Active Directory Users and Computers.
After enabling the feature, right-click on the OU -> Properties, and find the attribute using the attribute editor tab.
If you don’t have access to on-prem AD, you can also find the property by using the Graph API. Using Graph Explorer, we grab the properties from one of the users.
GET https://graph.microsoft.com/beta/users/sergio.perez@40rwbj.onmicrosoft.com
OR
GET https://graph.microsoft.com/beta/users/40d32222-a805-4408-bec2-b159c914f4e8
Building the AU
Now let’s build the AU. Head over to the Azure portal, and find the Administrative Units feature in Azure AD. Add a new one to get started.
Give it a proper name and description, and don’t assign any roles for now. Click Review + Create to finish the wizard.
After the AU is created, go into the properties of the AU, and change the membership type to Dynamic User. Next, click Add dynamic query.
Build the query by selecting onPremisesDistinguishedName as the property, using Contains as the operator. Capture the OU from the DistinguishedName property, and use this as your value.
(user.onPremisesDistinguishedName -contains "OU=Red Bull,OU=CloudSync,DC=janbakker,DC=tech")
Now, wait a few minutes while your AUs are being provisioned based on the on-prem OUs……. Et voila!
Let’s wrap up
I hope this article was helpful to you. I really like the dynamic groups’ engine, and how it is intertwined with Administrative units.
Stay safe!
Is there a way to sync all AD Security groups that reside in a specific OU to an Entra ID AU?