Delegate Printer Administration with Administrative Units in Microsoft Entra ID

This article describes how Universal Print integrates with administrative units in Microsoft Entra ID. Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Printer Administrator role to regional print admins, so they can manage printers only in the region that they support.

Refer to Administrative Units in Microsoft Entra ID for additional details on what it offers.

Prerequisites

  • Configuring Azure Administrative Unit
    • Admin account with Privileged Role Administrator or Global Administrator role
  • Delegated Printer Administrator
    • Microsoft Entra ID Premium P1 or P2 license assigned to each Printer Administrator within the administrative unit
    • Universal Print-eligible license is assigned to each Printer Administrator within the administrative unit

Configure Administrative Unit

Step 1: Create the administrative unit

Refer to Create or delete administrative units for details on the various options.

  1. Sign in to the Azure portal with a Privileged Role Administrator or Global Administrator account.
  2. Select Microsoft Entra ID > Administrative units.
  3. Select Add.
  4. In the Name box, enter the name of the administrative unit. Optionally, add a description of the administrative unit.
  5. Select Next: Assign roles >.
  6. Select Printer administrator role and then select the users or groups to assign the role to with this administrative unit scope.
  7. On the Review + create tab, review the administrative unit and any role assignments.
  8. Select the Create button.

Step 2: Assign printers to be managed by scoped admin

Azure Administrative Units offers 2 ways for Admins to define the set of devices that are within the scope of the assigned administrative rights.

  1. Dynamic Device Membership
    • Members are automatically updated based on the Admin set membership rules
  2. Assigned Membership
    • Members are manually assigned and updated by the Admin of the Administrative Unit

Option 1: Dynamic printer membership rule

Refer to Manage users or devices for an administrative unit with dynamic membership rules for additional details.

Note

It can take some time for the list of printers in an administrative unit to be evaluated according to dynamic device membership rules.

Delegating Admin responsibilities by Universal Print connectors
  1. After the administrative unit is initially created, go back to Administrative units.

  2. Select the created administrative unit that you want to add printers to.

  3. Select Properties.

  4. In the Membership type list, select Dynamic Device.

  5. Select Add dynamic query.

  6. Use the rule builder to specify the dynamic membership rule. For more information, see Rule builder in the Azure portal.

  7. In the rule builder

    Property Operator Value
    systemLabels Contains PrinterStandard
    extensionAttribute2 Starts With <connector naming schema>

Tip

Take note of the "Property" fields and values used in the dynamic query rule. These will be needed later on in the deployment process.

Delegating Admin responsibilities by printer location
  1. After the administrative unit is initially created, go back to Administrative units.

  2. Select the created administrative unit that you want to add printers to.

  3. Select Properties.

  4. In the Membership type list, select Dynamic Device.

  5. Select Add dynamic query.

  6. Use the rule builder to specify the dynamic membership rule. For more information, see Rule builder in the Azure portal.

  7. In the rule builder

    Property Operator Value
    systemLabels Contains PrinterStandard
    extensionAttribute3 Contains USA

Tip

Take note of the "Property" fields and values used in the dynamic query rule. These will be needed later on in the deployment process.

Option 2: Static printer membership list

Refer to Add users, groups, or devices to an administrative unit for additional details.

  1. After the administrative unit is initially created, go back to Administrative units.
  2. Select the created administrative unit that you want to add printers to.
  3. Select Properties.
  4. In the Membership type list, select Assigned.
  5. If a change was made, remember to Save the changes.
  6. Select Devices.
  7. Select Add device.
  8. In the Select pane, select the printers you want to add to the administrative unit and then select Select.

Sync Printer Properties

Universal Print's integration with Microsoft Entra ID device objects and administrative units provide a lot of flexibility and customization in how Printer Administrator role can be delegated. By leveraging the Microsoft Entra ID device object's "extensionAttributeX", organizations can pick and choose the combination of printer metadata to use to define the different printer administrator scopes.

To support this flexibility, periodic syncing of printer metadata from Universal Print to Microsoft Entra ID is required. This can be done by executing a script, such as the following sample, or any other form of automation.

The following sample provides a starting reference, customers should modify the script to meet their own deployment needs.

Sample PowerShell Script

$ErrorActionPreference = "Stop"
Connect-MgGraph -Scopes "Directory.AccessAsUser.All", "Printer.Read.All"

$tenantId = (Get-MgContext).TenantId
Write-Host "Starting processing of Universal Print printers in tenant $tenantId"

# This streams pages of printers and does not require them to all be loaded at once.
Get-MgPrintPrinter -All -ExpandProperty "connectors" | ForEach-Object -Process {
    $printer = $_

    Write-Host "Fetching Microsoft Entra ID device for printer $($printer.DisplayName)"
    $device = Get-MgDevice -Filter "deviceId eq '$($printer.Id)'" -Top 1

    # The display name of the Microsoft Entra ID device is set to the initial display name
    # of the printer. This sets extensionAttribute1 to the current name.
    $extensionAttribute1 = "$($printer.DisplayName)"

    # If the printer was registered with the Universal Print connector then the
    # display name of the connector will be present in extensionAttribute2.
    $extensionAttribute2 = "$($printer.Connectors[0].DisplayName)"

    # If the printer has a country or region set in its location properties it
    # will be set to extensionAttribute15. Other location properties can be used
    # as well.
    $extensionAttribute3 = "$($printer.Location.CountryOrRegion)"

    $existingExtensionAttributes = $device.AdditionalProperties.extensionAttributes
    if ($extensionAttribute1 -ne "$($existingExtensionAttributes.extensionAttribute1)" -or
        $extensionAttribute2 -ne "$($existingExtensionAttributes.extensionAttribute2)" -or
        $extensionAttribute3 -ne "$($existingExtensionAttributes.extensionAttribute3)")
    {
        Write-Host "Updating Microsoft Entra ID device extension attributes for printer $($printer.DisplayName)"
        Update-MgDevice -DeviceId $device.Id -BodyParameter @{
            "extensionAttributes" = @{
                "extensionAttribute1" = $extensionAttribute1
                "extensionAttribute2" = $extensionAttribute2
                "extensionAttribute3" = $extensionAttribute3
            }
        }
    }
}

Note

Execution of this sample script requires the user account to be either

  • A "Windows 365 Administrator" and "Printer Administrator"
  • Or, a "Global Administrator"

Scoped Admin vs Tenant Printer Admin

A scoped printer admin has many of the access rights as a tenant Printer Administrator role. The following table summarizes the similarities and differences.

Admin Action Printer Admin Role Scoped Printer Admin1
Register Printer Yes Yes2
Register Connector Yes Yes2
Unregister Printer Yes Yes
Unregister Connector Yes No
List Printers Yes Yes3
List Printer Shares Yes Yes3
List Connectors Yes Yes3
Printer Properties Yes Yes3
Printer Share Properties Yes Yes3
Sharing Printer Yes Yes
Printer Access Control Yes Yes
Swap Printer Share Yes Yes
View Job Status in Print Queue Yes Yes
Document Conversion Yes No
Usage and Reports Yes No

Note:

  1. Scoped admins can only manage the set of printer(s) defined in Azure AU configuration, unless otherwise specified.
  2. Scoped admins can perform the action on any printer or connector.
  3. Scoped admins see all printers, printer shares, and connectors, but are limited to read-only access to those outside of the Azure AU configuration.