Dynamic administrative units for users & devices [Public Preview]
With dynamic administrative units, you no longer have to manually manage membership of your administrative units (or write your own automation to manage it for you).
Indeed, I previously used a custom script in order to populate the Administrative Units with members, and it can take some time to finish…
Instead, Azure AD allows you to specify a query based on user or device attributes, and then maintains the membership for you.
Create a rule for easy user membership management
To create a dynamic membership rule, go to an administrative unit and click on the Properties tab. In this example, we have an administrative unit representing the Human Resources department.
On the Properties blade, set the Membership Type to Dynamic User. Then click Add dynamic query to create a dynamic rule.
Here we’ve used the rule builder to create a basic rule which includes all users whose department is “Human Resources.” You can also build more complex rules using the same syntax you use for dynamic groups (see this page for details on how to do so).
Once you’ve created the rule, click Save to save the rule syntax. Then, click Save again on the Properties blade to save the membership changes to the administrative unit. Within a few minutes, the dynamic groups engine will start to populate the administrative unit with the users that match the rule.
Now, you can go to the Roles and administrators tab to delegate administrative roles over the administrative unit and be assured that the scope will be automatically kept up to date by the dynamic membership engine.
In this example, we’re delegating the ability to manage passwords for employees in the Human Resources department by assigning the Password Administrator role scoped to the Human Resources administrative unit.
Azure AD RBAC: Dynamic administrative units now in public preview for users & devices – Microsoft Tech Community