Impossible to add user in administrative unit with user which have "User administor" role in AU scope

Julien Rateau 31 Reputation points
2022-02-11T16:33:05.803+00:00

Hi,
I meet an issue with administrative unit. In fact, I created a user named "test" in my Azure Active Directory with my Global Administrator account.

I created an administrative unit, put this user "test" into it, affect a P2 license to this user and "User administrator" role for the AU scope.
173655-1capture.png
173529-capture2.png

If am not mistaken, the user test should have the permissions to create and remove users in AU scope only but it does not.

The "Add member" is still greyed.
173599-capture.png

Have you got any idea please?

Thanks in advance for your help.
Kind regards,
Julien

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,409 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2022-02-11T21:19:55.673+00:00

    Hi @Julien Rateau ,

    I understand that you are trying to add a user to an Administrative Unit using a User Administrator role, but the "+ Add Member" button is greyed out for you and you are unable to do it.

    The documentation for creating and adding users to administrative units does list having a Privileged Administrator or Global Administrator role as a prerequisite for adding users and groups to an Administrative Unit. Reference: Add users or groups to an administrative unit

    I checked the permissions in the Azure portal and the User Administrator role appears to only have "read" permissions on the administrative units.

    173702-image.png

    The FAQ says that "User administrators for the administrative unit can manage the name and membership of the group itself." Based on the role definitions in the portal and the prerequisite list for adding users to an AU, the User administrator role appears to have the ability to manage users and group members within an AU, but cannot add or delete members from an AU.

    I reached out to the product team to ask for more clarity in the documentation around these definitions though as I agree that the language could be clearer, and I also noticed that the built-in role permissions documentation doesn't even have "Read" permissions listed for User administrator, even though they are there in the portal. The microsoft.directory/administrativeUnits/standard/read permissions are entirely missing and I have brought this to the attention of the product group.

    For now it does seem that you need to be either a Global Admin or a Privileged Role Administrator to add new members though.


  2. Julien Rateau 31 Reputation points
    2022-02-14T07:59:04.327+00:00

    Hi @Marilee Turscak-MSFT ,
    Thank you for your answer and for your reporting actions. I am still confused because in the page describing role permissions for "User administrator" role, the permission microsoft.directory/users/create belongs to this role permissions scope. As you can see in the following screenshot.173957-capture.png

    What my user would be able to do thanks to this permission?
    Julien