Azure AD groups and printer security permissions

Ole Pedersen 1 Reputation point
2020-11-25T17:30:20.75+00:00

This is a technical question about Azure AD groups.

In "normal" AD user can be member of AD groups and if computers are part of the domain you can limit printer security permissions by setting the permissions to certain groups, thereby restricting the user access.

In Azure AD users can be members of Azure AD groups, but for some of our customers the computers are Azure AD joined but not part of a domain, i.e. they are WORKGROUP type.

The users login using their Azure AD account.

Since the computers are workgroup computers it is not possible to assign Azure AD groups to the printer security because the computers cannot lookup the Azure AD groups.

How do I set printer security permissions using Azure AD groups on these Workgroup computers?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,597 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2020-11-26T05:42:56.973+00:00

    @Ole Pedersen Thanks for reaching out. If your customer are using the cloud only approach, you can implement the cloud printer using a MDM solution like Intune to deploy the printer config+groups.

    You can have a look here to check if suits your need : https://learn.microsoft.com/en-us/universal-print/fundamentals/universal-print-intune-tool

    That contains the step by step instructions to implement the scenario.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    0 comments
  2. Ole Pedersen 1 Reputation point
    2020-11-26T07:16:19.057+00:00

    Hi.

    Thanks for your prompt reply.

    Let me give you a little more background for my question.
    We're a company that makes a cloud based print solution, which by the way also integrates with Windows UP.
    Our customers are typically Azure AD connected, and we import users / groups from the Azure AD.
    The print queue management is done in our solution, including setting access based on Azure groups, and we're also controlling the installation and configuration of the print queues.
    The concept of setting the access permissions on print queues based on groups works fine if the computers of the customer are AD joined (not workgroup).
    But we have a number of customer where the computers are workgroup types, and would like to set the print queue permissions as we can on AD computers.
    We have looked at the group information we can extract from the AzureAD, and we can see that each group has an SID (SecurityIdentifier).
    We have tried to use those SIDs as print queue permissions, but that does not have the right effect.

    When a user login using their Azure AD credentials to these types of computers, I assume that the OS now know the full list of groups this user is member of.
    What we would like is to set the print queue security permissions, so that we can hide / show the print queues depending on the group membership of the user.

    A simple example:

    User U1 is member of group G1
    User U2 is member of group G2

    In our system the print queue PQ1 is set with "Exclussive Access" based on group G1
    The idea is, that when U1 login he can see PQ1, whereas when U2 login the PQ1 will be hidden.

    I hope this helps.

  3. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2020-12-18T12:04:58.19+00:00

    @Ole Pedersen

    This is what we got from PG :
    I recommend the customer to take a look at Printer Sharing and Permissions - Universal Print | Microsoft Learn to see if this already addresses their use case.

    In short, each Universal Print shared printer has a access permission security group and it supports adding individual users or AAD groups as members.
    From what I understood reading the post, it is what they want.

    In their post:
    User U1 is member of group G1
    User U2 is member of group G2

    In our system the print queue PQ1 is set with "Exclussive Access" based on group G1
    The idea is, that when U1 login he can see PQ1, whereas when U2 login the PQ1 will be hidden.

    By using what’s offered in Universal Print, U2 will NOT see PQ1, since U2 is not a member of G1 which is a member of PQ1 security group.

    Steps: 

        After a printer is registered with Universal Print, go to the “Printers” page.  
Select the desired printer and make sure it is shared.  If not, share the printer.  
Once shared, they can grant permissions to the printer share by using the “Access control” menu to add G1 as a member.