Listen to this Post
Administrative Units (AUs) and Restricted Management Admin Units (RMAU) are powerful yet underutilized features in EntraID (formerly Azure AD). Many organizations overprivilege their admins due to a lack of understanding of how AUs can help enforce the principle of least privilege.
You Should Know:
1. Creating an Administrative Unit
To create an AU in EntraID, use PowerShell:
Connect-AzureAD New-AzureADMSAdministrativeUnit -DisplayName "IT-Admins" -Description "Restricted IT Admin Unit"
2. Adding Members to an AU
Add-AzureADMSAdministrativeUnitMember -Id <AU-ObjectID> -RefObjectId <User-ObjectID>
3. Assigning Roles to AUs (Restricted Scoping)
$role = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq "User Administrator"}
Add-AzureADScopedRoleMembership -RoleObjectId $role.ObjectId -ObjectId <AU-ObjectID> -AdministrativeUnitObjectId <AU-ObjectID>
4. Listing All AUs
Get-AzureADMSAdministrativeUnit | Select-Object DisplayName, Id
5. Enabling Restricted Management Admin Units (RMAU)
RMAU further restricts administrative access to only assigned users:
Set-AzureADMSAdministrativeUnit -Id <AU-ObjectID> -RestrictMemberAccess $true
6. Verifying AU Membership
Get-AzureADMSAdministrativeUnitMember -Id <AU-ObjectID>
7. Removing a User from AU
Remove-AzureADMSAdministrativeUnitMember -Id <AU-ObjectID> -MemberId <User-ObjectID>
8. Deleting an AU
Remove-AzureADMSAdministrativeUnit -Id <AU-ObjectID>
Linux Equivalent (for Hybrid Environments)
If managing hybrid identities, use `az cli`:
az ad administrative-unit create --display-name "Linux-Admins" --description "Linux Server Admins"
Windows Security Best Practices
- Always restrict global admin roles.
- Use Privileged Identity Management (PIM) for just-in-time access.
- Audit AU assignments regularly:
Get-AzureADMSAdministrativeUnit | ForEach-Object { Get-AzureADMSAdministrativeUnitMember -Id $_.Id }
References:
What Undercode Say:
Administrative Units (AUs) and Restricted Management Admin Units (RMAU) are essential for minimizing attack surfaces in EntraID. By segmenting admin roles, organizations reduce the risk of lateral movement in breaches.
Additional Linux Security Commands:
<h1>Check sudo access logs</h1>
sudo cat /var/log/auth.log | grep sudo
<h1>List users with UID 0 (root-equivalent)</h1>
awk -F: '($3 == "0") {print}' /etc/passwd
<h1>Audit SSH access</h1>
sudo grep "Failed password" /var/log/auth.log
Windows Hardening Commands:
<h1>Check Local Admin Group Members</h1> Get-LocalGroupMember -Group "Administrators" <h1>Disable Inactive Users</h1> Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | Disable-ADAccount
Expected Output:
A structured, secure administrative model where only authorized personnel have access to critical systems, reducing overprivileged accounts and improving compliance.
References:
Reported By: Nathanmcnulty Entraid – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
