Delegate Printer Administration with Administrative Units in Microsoft Entra ID
This article describes how Universal Print integrates with administrative units in Microsoft Entra ID. Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Printer Administrator role to regional print admins, so they can manage printers only in the region that they support.
Refer to Administrative Units in Microsoft Entra ID for additional details on what it offers.
Prerequisites
- Configuring Azure Administrative Unit
- Admin account with Privileged Role Administrator or Global Administrator role
- Delegated Printer Administrator
- Microsoft Entra ID Premium P1 or P2 license assigned to each Printer Administrator within the administrative unit
- Universal Print-eligible license is assigned to each Printer Administrator within the administrative unit
Configure Administrative Unit
Step 1: Create the administrative unit
Refer to Create or delete administrative units for details on the various options.
- Sign in to the Azure portal with a Privileged Role Administrator or Global Administrator account.
- Select Microsoft Entra ID > Administrative units.
- Select Add.
- In the Name box, enter the name of the administrative unit. Optionally, add a description of the administrative unit.
- Select Next: Assign roles >.
- Select Printer administrator role and then select the users or groups to assign the role to with this administrative unit scope.
- On the Review + create tab, review the administrative unit and any role assignments.
- Select the Create button.
Step 2: Assign printers to be managed by scoped admin
Azure Administrative Units offers 2 ways for Admins to define the set of devices that are within the scope of the assigned administrative rights.
- Dynamic Device Membership
- Members are automatically updated based on the Admin set membership rules
- Assigned Membership
- Members are manually assigned and updated by the Admin of the Administrative Unit
Option 1: Dynamic printer membership rule
Refer to Manage users or devices for an administrative unit with dynamic membership rules for additional details.
Note
It can take some time for the list of printers in an administrative unit to be evaluated according to dynamic device membership rules.
Delegating Admin responsibilities by Universal Print connectors
After the administrative unit is initially created, go back to Administrative units.
Select the created administrative unit that you want to add printers to.
Select Properties.
In the Membership type list, select Dynamic Device.
Select Add dynamic query.
Use the rule builder to specify the dynamic membership rule. For more information, see Rule builder in the Azure portal.
In the rule builder
Property Operator Value systemLabels Contains PrinterStandard extensionAttribute2 Starts With <connector naming schema>
Tip
Take note of the "Property" fields and values used in the dynamic query rule. These will be needed later on in the deployment process.
Delegating Admin responsibilities by printer location
After the administrative unit is initially created, go back to Administrative units.
Select the created administrative unit that you want to add printers to.
Select Properties.
In the Membership type list, select Dynamic Device.
Select Add dynamic query.
Use the rule builder to specify the dynamic membership rule. For more information, see Rule builder in the Azure portal.
In the rule builder
Property Operator Value systemLabels Contains PrinterStandard extensionAttribute3 Contains USA
Tip
Take note of the "Property" fields and values used in the dynamic query rule. These will be needed later on in the deployment process.
Option 2: Static printer membership list
Refer to Add users, groups, or devices to an administrative unit for additional details.
- After the administrative unit is initially created, go back to Administrative units.
- Select the created administrative unit that you want to add printers to.
- Select Properties.
- In the Membership type list, select Assigned.
- If a change was made, remember to Save the changes.
- Select Devices.
- Select Add device.
- In the Select pane, select the printers you want to add to the administrative unit and then select Select.
Sync Printer Properties
Universal Print's integration with Microsoft Entra ID device objects and administrative units provide a lot of flexibility and customization in how Printer Administrator role can be delegated. By leveraging the Microsoft Entra ID device object's "extensionAttributeX", organizations can pick and choose the combination of printer metadata to use to define the different printer administrator scopes.
To support this flexibility, periodic syncing of printer metadata from Universal Print to Microsoft Entra ID is required. This can be done by executing a script, such as the following sample, or any other form of automation.
The following sample provides a starting reference, customers should modify the script to meet their own deployment needs.
Sample PowerShell Script
$ErrorActionPreference = "Stop"
Connect-MgGraph -Scopes "Directory.AccessAsUser.All", "Printer.Read.All"
$tenantId = (Get-MgContext).TenantId
Write-Host "Starting processing of Universal Print printers in tenant $tenantId"
# This streams pages of printers and does not require them to all be loaded at once.
Get-MgPrintPrinter -All -ExpandProperty "connectors" | ForEach-Object -Process {
$printer = $_
Write-Host "Fetching Microsoft Entra ID device for printer $($printer.DisplayName)"
$device = Get-MgDevice -Filter "deviceId eq '$($printer.Id)'" -Top 1
# The display name of the Microsoft Entra ID device is set to the initial display name
# of the printer. This sets extensionAttribute1 to the current name.
$extensionAttribute1 = "$($printer.DisplayName)"
# If the printer was registered with the Universal Print connector then the
# display name of the connector will be present in extensionAttribute2.
$extensionAttribute2 = "$($printer.Connectors[0].DisplayName)"
# If the printer has a country or region set in its location properties it
# will be set to extensionAttribute15. Other location properties can be used
# as well.
$extensionAttribute3 = "$($printer.Location.CountryOrRegion)"
$existingExtensionAttributes = $device.AdditionalProperties.extensionAttributes
if ($extensionAttribute1 -ne "$($existingExtensionAttributes.extensionAttribute1)" -or
$extensionAttribute2 -ne "$($existingExtensionAttributes.extensionAttribute2)" -or
$extensionAttribute3 -ne "$($existingExtensionAttributes.extensionAttribute3)")
{
Write-Host "Updating Microsoft Entra ID device extension attributes for printer $($printer.DisplayName)"
Update-MgDevice -DeviceId $device.Id -BodyParameter @{
"extensionAttributes" = @{
"extensionAttribute1" = $extensionAttribute1
"extensionAttribute2" = $extensionAttribute2
"extensionAttribute3" = $extensionAttribute3
}
}
}
}
Note
Execution of this sample script requires the user account to be either
- A "Windows 365 Administrator" and "Printer Administrator"
- Or, a "Global Administrator"
Scoped Admin vs Tenant Printer Admin
A scoped printer admin has many of the access rights as a tenant Printer Administrator role. The following table summarizes the similarities and differences.
| Admin Action | Printer Admin Role | Scoped Printer Admin1 |
|---|---|---|
| Register Printer | Yes | Yes2 |
| Register Connector | Yes | Yes2 |
| Unregister Printer | Yes | Yes |
| Unregister Connector | Yes | No |
| List Printers | Yes | Yes3 |
| List Printer Shares | Yes | Yes3 |
| List Connectors | Yes | Yes3 |
| Printer Properties | Yes | Yes3 |
| Printer Share Properties | Yes | Yes3 |
| Sharing Printer | Yes | Yes |
| Printer Access Control | Yes | Yes |
| Swap Printer Share | Yes | Yes |
| View Job Status in Print Queue | Yes | Yes |
| Document Conversion | Yes | No |
| Usage and Reports | Yes | No |
Note:
- Scoped admins can only manage the set of printer(s) defined in Azure AU configuration, unless otherwise specified.
- Scoped admins can perform the action on any printer or connector.
- Scoped admins see all printers, printer shares, and connectors, but are limited to read-only access to those outside of the Azure AU configuration.