Delegate Printer Administration with Azure Administrative Units
This functionality is in PREVIEW and subject to changes.
This article describes how Universal Print integrates with administrative units in Azure Active Directory (Azure AD). Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Printer Administrator role to regional print admins, so they can manage printers only in the region that they support.
Visit Administrative Units in Azure Active Directory for more details.
- A Azure AD Premium P1 license assigned to each administrative unit administrator
- A Universal Print-eligible license is assigned to each member of the administrative unit that is a Printer Administrator role
Configure Administrative Unit Policy
Step 1: Create the policy
Refer to Create or delete administrative units for additional details.
- Sign in to the Azure portal with a Privileged Role Administrator or Global Administrator account.
- Select Azure Active Directory > Administrative units.
- Select Add.
- In the Name box, enter the name of the administrative unit. Optionally, add a description of the administrative unit.
- Select Next: Assign roles >.
- Select Printer administrator role and then select the users to assign the role to with this administrative unit scope.
- On the Review + create tab, review the administrative unit and any role assignments.
- Select the Create button.
Step 2: Assign printers to be managed by scoped admin
Option 1: Dynamic printer membership rule
Refer to Manage users or devices for an administrative unit with dynamic membership rules for additional details.
After the administrative unit is initially created, go back to Administrative units.
Select the created administrative unit that you want to add printers to.
In the Membership type list, select Dynamic Device.
Select Add dynamic query.
Use the rule builder to specify the dynamic membership rule. For more information, see Rule builder in the Azure portal.
In the rule builder
Property Operator Value deviceOSType Equals Printer displayName <any> <naming schema>
It can take some time for the list of printers in an administrative unit to be evaluated according to dynamic device membership rules.
Option 2: Static printer membership list
Refer to Add users, groups, or devices to an administrative unit for additional details.
- After the administrative unit is initially created, go back to Administrative units.
- Select the created administrative unit that you want to add printers to.
- Select Properties.
- In the Membership type list, select Assigned.
- If a change was made, remember to Save the changes.
- Select Devices.
- Select Add device.
- In the Select pane, select the printers you want to add to the administrative unit and then select Select.
Scoped Admin vs Tenant Printer Admin
A scoped printer admin has many of the access rights as a tenant Printer Administrator role. The following table summarizes the similarities and differences.
|Admin Action||Printer Admin Role||Scoped Printer Admin1|
|List Printer Shares||Yes||Yes3|
|Printer Share Properties||Yes||Yes|
|Printer Access Control||Yes||Yes|
|Swap Printer Share||Yes||Yes|
|View Job Status in Print Queue||Yes||Yes|
|Usage and Reports||Yes||No|
- Scoped admins can only manage the set of printer(s) defined in Azure AU policy configuration, unless otherwise specified.
- Scoped admins can perform the action on any printer or connector.
- Scoped admins see all printers, printer shares, and connectors, but are limited to read-only access to those outside of the Azure AU policy configuration.
Below are known issues with current preview functionality:
- Trying to swap the registered printer of a printer share fails with a forbidden error.
- Trying to download the document of a print job through Graph API fails with a forbidden error.
- After setting a printer share to "Allow access to everyone in my organization", the property setting is not returned as part of the printer share properties.