Delegate Printer Administration with Azure Administrative Units

Note

This functionality is in PREVIEW and subject to changes.

This article describes how Universal Print integrates with administrative units in Azure Active Directory (Azure AD). Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Printer Administrator role to regional print admins, so they can manage printers only in the region that they support.

Prerequisites

  • A Azure AD Premium P1 license assigned to each administrative unit administrator
  • A Universal Print-eligible license is assigned to each member of the administrative unit that is a Printer Administrator role

Configure Administrative Unit Policy

Step 1: Create the policy

Tip

Refer to Create or delete administrative units for additional details.

  1. Sign in to the Azure portal with a Privileged Role Administrator or Global Administrator account.
  2. Select Azure Active Directory > Administrative units.
  3. Select Add.
  4. In the Name box, enter the name of the administrative unit. Optionally, add a description of the administrative unit.
  5. Select Next: Assign roles >.
  6. Select Printer administrator role and then select the users to assign the role to with this administrative unit scope.
  7. On the Review + create tab, review the administrative unit and any role assignments.
  8. Select the Create button.

Step 2: Assign printers to be managed by scoped admin

Option 1: Dynamic printer membership rule

  1. After the administrative unit is initially created, go back to Administrative units.

  2. Select the created administrative unit that you want to add printers to.

  3. Select Properties.

  4. In the Membership type list, select Dynamic Device.

  5. Select Add dynamic query.

  6. Use the rule builder to specify the dynamic membership rule. For more information, see Rule builder in the Azure portal.

  7. In the rule builder

    Property Operator Value
    deviceOSType Equals Printer
    displayName <any> <naming schema>

Note

It can take some time for the list of printers in an administrative unit to be evaluated according to dynamic device membership rules.

Option 2: Static printer membership list

Tip

Refer to Add users, groups, or devices to an administrative unit for additional details.

  1. After the administrative unit is initially created, go back to Administrative units.
  2. Select the created administrative unit that you want to add printers to.
  3. Select Properties.
  4. In the Membership type list, select Assigned.
  5. If a change was made, remember to Save the changes.
  6. Select Devices.
  7. Select Add device.
  8. In the Select pane, select the printers you want to add to the administrative unit and then select Select.

Scoped Admin vs Tenant Printer Admin

A scoped printer admin has many of the access rights as a tenant Printer Administrator role. The following table summarizes the similarities and differences.

Admin Action Printer Admin Role Scoped Printer Admin1
Register Printer Yes Yes2
Register Connector Yes Yes2
Unregister Printer Yes Yes
Unregister Connector Yes No
List Printers Yes Yes3
List Printer Shares Yes Yes3
List Connectors Yes Yes3
Printer Properties Yes Yes
Printer Share Properties Yes Yes
Sharing Printer Yes Yes
Printer Access Control Yes Yes
Swap Printer Share Yes Yes
View Job Status in Print Queue Yes Yes
Document Conversion Yes No
Usage and Reports Yes No

Note:

  1. Scoped admins can only manage the set of printer(s) defined in Azure AU policy configuration, unless otherwise specified.
  2. Scoped admins can perform the action on any printer or connector.
  3. Scoped admins see all printers, printer shares, and connectors, but are limited to read-only access to those outside of the Azure AU policy configuration.

Known Issues

Below are known issues with current preview functionality:

  • Trying to swap the registered printer of a printer share fails with a forbidden error.
  • Trying to download the document of a print job through Graph API fails with a forbidden error.
  • After setting a printer share to "Allow access to everyone in my organization", the property setting is not returned as part of the printer share properties.