A walkthrough of the new Azure AD Administrative Unit capability to provide granular scoped role assignment of Azure AD users and groups along with a demo.
I've seen other videos on AUs and no one else has mentioned that limitation on adding groups i.e. you can't manage the users within the groups, only the groups. It's your attention to detail in all you videos (very important detail if you want pass exams and be an effective Azure admin) that makes them so good. I would have a harder time understanding Azure if it wasn't for your training library. Thank you!
Bro! I just finished an online course on Udemy last night that I have access to through my alumni resources. After the course was over it had some practice test which, I took one and passed it, but still lacked confidence in several areas. Administrative Units was one of them. You just explained this so completely and with such precision that if you charged for this content you would have been paid immediately. I was able to take great notes in my OneNote and feel like I really understand Administrative Units now. I will now be moving to more of your videos for other areas, and I am excited to know that anything you have said can be backed up really easily with a quick search of Microsoft documentation. Not going to lie your channel has been fantastic. My exam is scheduled for June 4th at 3:30. I am trying to get as much as I can in. Thank you so much for your dedication and knowledge pass down.
Excellent explanation from John on AAD Admin Units, Very helpful stuff on my current project limiting the role of Automation account to specific role at reduced scope 😊
I have seen other videos where they do ask for like and all. You are the one who really want people to come and learn here. i don't know how to say but you are the gem for learners. thank you so much for your efforts toward the Azure so that we can learn from pure technical perspective. Hats off you Brother.
Was confusing at first, but after a couple of tries, I got it, you cannot manage users in groups if they are not in the AU you have the priviledges to! I know is an old vid, but great content as usual John! Ty!
Thank you , but May I ask what's new this feature added comparing to RBAC or customized policy ?, I'd like kindly ask you if you can explain more topics like encryption "BYOK, HYOK" and how we can use HYOK on Azure ? , also monitoring on Azure i.e VMs log analytics and log analytics workspace and how we can integrate it with service desk systems for alerts . Thank you in advance .
So that's the point. This is complete separate from RBAC on Azure resources. This is specific to Azure AD user and group management delegation. You cannot use these for RBAC of Azure resources. Azure RBAC is based around ARM roles assigned to users and groups at a scope like subscription or resource group. These AUs are to grant Azure AD roles to users at a reduce scope, i.e. the AU.
Another great video John. Admin Units sound like the same thing as using using a dynamic group and filtering user accounts by region and then applying RBAC to that AD group. Is this correct? In other words, can I achieve the same thing just doing it a different way? As you state wIth the flat AAD structure I guess this is needed because you can't simply apply permissions or policies to OUs like you can on-prem.
It appears that you have to give any admins 'directory read-access to the whole tenant in addition to container permissions. The expected functionality I was hoping for was to only be able to view the users in the container I manage - I am doing something wrong, or is this expected?
So management groups are around management of azure resources and nothing really to do with azure ad. I’ll be covering them in detail in the governance lesson of my azure masterclass will be posting over next couple of weeks. Basically they let you create a hierarchy which subscriptions live in and you can apply policy, budget and rbac.
Management groups are azure arm constructs and nothing to do with azure ad admin units. You create admin units with the people in for that department then grant admins to that specific admin unit.
Every time I'm stuck with a topic, you are my first resort to get a simplified explanation of this topic. many thanks, John :)
Great to hear, thank you!
I've seen other videos on AUs and no one else has mentioned that limitation on adding groups i.e. you can't manage the users within the groups, only the groups. It's your attention to detail in all you videos (very important detail if you want pass exams and be an effective Azure admin) that makes them so good. I would have a harder time understanding Azure if it wasn't for your training library. Thank you!
#facts The group thing is what really helped me because I was lost with how that worked
Short but sweet this video! I just noticed that AU can now be Dynamic User type (Preview)
Amazing content as always.... Short crisp .. to the point... perfect.
Thanks John for clearly explaining the AU functions. I was confused about the group but now I'm more confident to set it up correctly for our users.
Generic comment to show my appreciation. Keep winning John!
Bro! I just finished an online course on Udemy last night that I have access to through my alumni resources. After the course was over it had some practice test which, I took one and passed it, but still lacked confidence in several areas. Administrative Units was one of them. You just explained this so completely and with such precision that if you charged for this content you would have been paid immediately. I was able to take great notes in my OneNote and feel like I really understand Administrative Units now. I will now be moving to more of your videos for other areas, and I am excited to know that anything you have said can be backed up really easily with a quick search of Microsoft documentation. Not going to lie your channel has been fantastic. My exam is scheduled for June 4th at 3:30. I am trying to get as much as I can in. Thank you so much for your dedication and knowledge pass down.
Best of luck!
This was one of the Best explanations on AU's that I have seen. Thank you so much.
You're very welcome!
As always, great explanation. Thank you.
Another great video John! Thank you.
Glad you enjoyed it
Thanks John, so helpful as always!
Fantastic explanation, thank you.
Excellent explanation from John on AAD Admin Units, Very helpful stuff on my current project limiting the role of Automation account to specific role at reduced scope 😊
Thanks!
Good one.. This clears a lot of basic concepts
I have seen other videos where they do ask for like and all.
You are the one who really want people to come and learn here.
i don't know how to say but you are the gem for learners.
thank you so much for your efforts toward the Azure so that we can learn from pure technical perspective.
Hats off you Brother.
So nice of you
This was very helpful thank you :)
Very helpful. Thanks!
Cool, helped a ton, but man alive this dude is jacked!
lol, its the camera. it adds 10 lbs :-D
Your videos helped me lot, Thank you very much.
You are welcome!
Was confusing at first, but after a couple of tries, I got it, you cannot manage users in groups if they are not in the AU you have the priviledges to!
I know is an old vid, but great content as usual John! Ty!
Thank you boss you made it so clear God bless you :)
very good explanations
Very helpful. I like the digital whiteboard setup. Will consider. Cheers.
Glad it was helpful!
Another good video John, thank you. Biggest takeaway from this is plan your operational structure ;-)
Definitely!
Nicely explained. !!
Thank you
Awesome explanation
Glad you think so!
Thank you
Hi John, love the content you provide! Is there a similar functionality for managing Hybrid joined devices/AAD only devices?
most device type management would be more Intune than AAD and Intune does have grouping capabilities.
Thank you for the clarification regarding groups. Uhh, why can it not reset!?!?!
Thank you , but May I ask what's new this feature added comparing to RBAC or customized policy ?, I'd like kindly ask you if you can explain more topics like encryption "BYOK, HYOK" and how we can use HYOK on Azure ? , also monitoring on Azure i.e VMs log analytics and log analytics workspace and how we can integrate it with service desk systems for alerts . Thank you in advance .
So that's the point. This is complete separate from RBAC on Azure resources. This is specific to Azure AD user and group management delegation. You cannot use these for RBAC of Azure resources. Azure RBAC is based around ARM roles assigned to users and groups at a scope like subscription or resource group. These AUs are to grant Azure AD roles to users at a reduce scope, i.e. the AU.
Another great video John. Admin Units sound like the same thing as using using a dynamic group and filtering user accounts by region and then applying RBAC to that AD group. Is this correct? In other words, can I achieve the same thing just doing it a different way? As you state wIth the flat AAD structure I guess this is needed because you can't simply apply permissions or policies to OUs like you can on-prem.
no. RBAC on a group is just managing the group, not things inside.
@@NTFAQGuy Thank you.
It appears that you have to give any admins 'directory read-access to the whole tenant in addition to container permissions. The expected functionality I was hoping for was to only be able to view the users in the container I manage - I am doing something wrong, or is this expected?
not sure following. normally users would have directory read for their local tenant. It's guests we tend to remove the directory read.
Hay John, would you add Azure management groups into the mix?
So management groups are around management of azure resources and nothing really to do with azure ad. I’ll be covering them in detail in the governance lesson of my azure masterclass will be posting over next couple of weeks. Basically they let you create a hierarchy which subscriptions live in and you can apply policy, budget and rbac.
How do you attach these Admin Groups to the different departments you talked about without setting those departments up as Management Groups? Thanks
Management groups are azure arm constructs and nothing to do with azure ad admin units. You create admin units with the people in for that department then grant admins to that specific admin unit.
@@NTFAQGuy Thank you
For the algorithm! 😁
Thanks its Good one , How to add a permissions so that one particular person can add a set of groups to people
Glad you liked it
So since this is just in preview what is the current standard for handling azure ad like this?
Basically today unless you use an external governance solution you really can’t limit scope of roles. This is needed!
I remember one MSFT man talked about this feature back in 2017. I wonder when it will go GA from Preview :)
Yeahhhhhh :-) Very soon :-D
@@NTFAQGuy It just did.
Imagine there are 360 likes on this video at the moment..
Lol