A walkthrough of the new Azure AD Administrative Unit capability to provide granular scoped role assignment of Azure AD users and groups along with a demo.
I've seen other videos on AUs and no one else has mentioned that limitation on adding groups i.e. you can't manage the users within the groups, only the groups. It's your attention to detail in all you videos (very important detail if you want pass exams and be an effective Azure admin) that makes them so good. I would have a harder time understanding Azure if it wasn't for your training library. Thank you!
Bro! I just finished an online course on Udemy last night that I have access to through my alumni resources. After the course was over it had some practice test which, I took one and passed it, but still lacked confidence in several areas. Administrative Units was one of them. You just explained this so completely and with such precision that if you charged for this content you would have been paid immediately. I was able to take great notes in my OneNote and feel like I really understand Administrative Units now. I will now be moving to more of your videos for other areas, and I am excited to know that anything you have said can be backed up really easily with a quick search of Microsoft documentation. Not going to lie your channel has been fantastic. My exam is scheduled for June 4th at 3:30. I am trying to get as much as I can in. Thank you so much for your dedication and knowledge pass down.
I have seen other videos where they do ask for like and all. You are the one who really want people to come and learn here. i don't know how to say but you are the gem for learners. thank you so much for your efforts toward the Azure so that we can learn from pure technical perspective. Hats off you Brother.
Excellent explanation from John on AAD Admin Units, Very helpful stuff on my current project limiting the role of Automation account to specific role at reduced scope 😊
Was confusing at first, but after a couple of tries, I got it, you cannot manage users in groups if they are not in the AU you have the priviledges to! I know is an old vid, but great content as usual John! Ty!
It appears that you have to give any admins 'directory read-access to the whole tenant in addition to container permissions. The expected functionality I was hoping for was to only be able to view the users in the container I manage - I am doing something wrong, or is this expected?
Thank you , but May I ask what's new this feature added comparing to RBAC or customized policy ?, I'd like kindly ask you if you can explain more topics like encryption "BYOK, HYOK" and how we can use HYOK on Azure ? , also monitoring on Azure i.e VMs log analytics and log analytics workspace and how we can integrate it with service desk systems for alerts . Thank you in advance .
So that's the point. This is complete separate from RBAC on Azure resources. This is specific to Azure AD user and group management delegation. You cannot use these for RBAC of Azure resources. Azure RBAC is based around ARM roles assigned to users and groups at a scope like subscription or resource group. These AUs are to grant Azure AD roles to users at a reduce scope, i.e. the AU.
Another great video John. Admin Units sound like the same thing as using using a dynamic group and filtering user accounts by region and then applying RBAC to that AD group. Is this correct? In other words, can I achieve the same thing just doing it a different way? As you state wIth the flat AAD structure I guess this is needed because you can't simply apply permissions or policies to OUs like you can on-prem.
Management groups are azure arm constructs and nothing to do with azure ad admin units. You create admin units with the people in for that department then grant admins to that specific admin unit.
So management groups are around management of azure resources and nothing really to do with azure ad. I’ll be covering them in detail in the governance lesson of my azure masterclass will be posting over next couple of weeks. Basically they let you create a hierarchy which subscriptions live in and you can apply policy, budget and rbac.
I've seen other videos on AUs and no one else has mentioned that limitation on adding groups i.e. you can't manage the users within the groups, only the groups. It's your attention to detail in all you videos (very important detail if you want pass exams and be an effective Azure admin) that makes them so good. I would have a harder time understanding Azure if it wasn't for your training library. Thank you!
#facts The group thing is what really helped me because I was lost with how that worked
Every time I'm stuck with a topic, you are my first resort to get a simplified explanation of this topic. many thanks, John :)
Great to hear, thank you!
Short but sweet this video! I just noticed that AU can now be Dynamic User type (Preview)
Bro! I just finished an online course on Udemy last night that I have access to through my alumni resources. After the course was over it had some practice test which, I took one and passed it, but still lacked confidence in several areas. Administrative Units was one of them. You just explained this so completely and with such precision that if you charged for this content you would have been paid immediately. I was able to take great notes in my OneNote and feel like I really understand Administrative Units now. I will now be moving to more of your videos for other areas, and I am excited to know that anything you have said can be backed up really easily with a quick search of Microsoft documentation. Not going to lie your channel has been fantastic. My exam is scheduled for June 4th at 3:30. I am trying to get as much as I can in. Thank you so much for your dedication and knowledge pass down.
Best of luck!
Thanks John for clearly explaining the AU functions. I was confused about the group but now I'm more confident to set it up correctly for our users.
This was one of the Best explanations on AU's that I have seen. Thank you so much.
You're very welcome!
Amazing content as always.... Short crisp .. to the point... perfect.
Generic comment to show my appreciation. Keep winning John!
Cool, helped a ton, but man alive this dude is jacked!
lol, its the camera. it adds 10 lbs :-D
I have seen other videos where they do ask for like and all.
You are the one who really want people to come and learn here.
i don't know how to say but you are the gem for learners.
thank you so much for your efforts toward the Azure so that we can learn from pure technical perspective.
Hats off you Brother.
So nice of you
Excellent explanation from John on AAD Admin Units, Very helpful stuff on my current project limiting the role of Automation account to specific role at reduced scope 😊
Thanks!
Fantastic explanation, thank you.
Was confusing at first, but after a couple of tries, I got it, you cannot manage users in groups if they are not in the AU you have the priviledges to!
I know is an old vid, but great content as usual John! Ty!
Another great video John! Thank you.
Glad you enjoyed it
Your videos helped me lot, Thank you very much.
You are welcome!
As always, great explanation. Thank you.
very good explanations
Thanks John, so helpful as always!
Good one.. This clears a lot of basic concepts
Very helpful. I like the digital whiteboard setup. Will consider. Cheers.
Glad it was helpful!
Very helpful. Thanks!
Another good video John, thank you. Biggest takeaway from this is plan your operational structure ;-)
Definitely!
This was very helpful thank you :)
Thank you boss you made it so clear God bless you :)
Awesome explanation
Glad you think so!
Thank you
Nicely explained. !!
Thank you
Thank you for the clarification regarding groups. Uhh, why can it not reset!?!?!
Hi John, love the content you provide! Is there a similar functionality for managing Hybrid joined devices/AAD only devices?
most device type management would be more Intune than AAD and Intune does have grouping capabilities.
Thanks its Good one , How to add a permissions so that one particular person can add a set of groups to people
Glad you liked it
For the algorithm! 😁
It appears that you have to give any admins 'directory read-access to the whole tenant in addition to container permissions. The expected functionality I was hoping for was to only be able to view the users in the container I manage - I am doing something wrong, or is this expected?
not sure following. normally users would have directory read for their local tenant. It's guests we tend to remove the directory read.
I remember one MSFT man talked about this feature back in 2017. I wonder when it will go GA from Preview :)
Yeahhhhhh :-) Very soon :-D
@@NTFAQGuy It just did.
Thank you , but May I ask what's new this feature added comparing to RBAC or customized policy ?, I'd like kindly ask you if you can explain more topics like encryption "BYOK, HYOK" and how we can use HYOK on Azure ? , also monitoring on Azure i.e VMs log analytics and log analytics workspace and how we can integrate it with service desk systems for alerts . Thank you in advance .
So that's the point. This is complete separate from RBAC on Azure resources. This is specific to Azure AD user and group management delegation. You cannot use these for RBAC of Azure resources. Azure RBAC is based around ARM roles assigned to users and groups at a scope like subscription or resource group. These AUs are to grant Azure AD roles to users at a reduce scope, i.e. the AU.
Another great video John. Admin Units sound like the same thing as using using a dynamic group and filtering user accounts by region and then applying RBAC to that AD group. Is this correct? In other words, can I achieve the same thing just doing it a different way? As you state wIth the flat AAD structure I guess this is needed because you can't simply apply permissions or policies to OUs like you can on-prem.
no. RBAC on a group is just managing the group, not things inside.
@@NTFAQGuy Thank you.
How do you attach these Admin Groups to the different departments you talked about without setting those departments up as Management Groups? Thanks
Management groups are azure arm constructs and nothing to do with azure ad admin units. You create admin units with the people in for that department then grant admins to that specific admin unit.
@@NTFAQGuy Thank you
Hay John, would you add Azure management groups into the mix?
So management groups are around management of azure resources and nothing really to do with azure ad. I’ll be covering them in detail in the governance lesson of my azure masterclass will be posting over next couple of weeks. Basically they let you create a hierarchy which subscriptions live in and you can apply policy, budget and rbac.
So since this is just in preview what is the current standard for handling azure ad like this?
Basically today unless you use an external governance solution you really can’t limit scope of roles. This is needed!
Imagine there are 360 likes on this video at the moment..
Lol