Managing Restricted Groups with Access Packages

By /

Listen to this Post

In a recent discussion with Merill Fernando, Nathan McNulty explored the challenges of Restricted Management Admin Units and their impact on Access Packages and PIM (Privileged Identity Management). While these restrictions are intentional, Nathan provides a solution to work around them effectively.

Read the full article here: Managing Restricted Groups with Access Packages

You Should Know:

1. Understanding Restricted Admin Units

Restricted Admin Units in Azure AD limit administrative scope, but they can interfere with Access Packages and PIM. Here’s how to verify and adjust these settings:

 Check existing admin units 
Get-AzureADMSAdministrativeUnit

Add a user to a restricted admin unit 
Add-AzureADMSAdministrativeUnitMember -Id <UnitID> -RefObjectId <UserID>

2. Fixing Access Packages with PowerShell

If Access Packages break due to restrictions, use these commands to reassign permissions:

 List all access packages 
Get-AzureADMSAccessPackage

Update access package policy 
Set-AzureADMSAccessPackageAssignmentPolicy -Id <PolicyID> -AllowedRequestors @("AllMembers")

3. PIM Workarounds

Privileged Identity Management may require manual role activation adjustments:

 Enable PIM role for a restricted admin unit 
Enable-AzureADMSPrivilegedRoleAssignment -ProviderId aadRoles -ResourceId <TenantID> -RoleDefinitionId <RoleID>

4. Automating with Azure Logic Apps

To streamline access management, deploy an Azure Logic App that triggers on group changes:

{ 
"actions": { 
"HTTP": { 
"method": "POST", 
"uri": "https://graph.microsoft.com/v1.0/groups/<GroupID>/members/$ref", 
"body": { 
"@odata.id": "https://graph.microsoft.com/v1.0/users/<UserID>" 
} 
} 
} 
}

5. Auditing and Logging

Ensure compliance by enabling Azure AD audit logs:

 Export audit logs 
Get-AzureADAuditDirectoryLogs -Filter "activityDisplayName eq 'Add member to group'" -All $true | Export-Csv -Path "logs.csv"

What Undercode Say:

Restricted Admin Units enhance security but require careful handling. By leveraging PowerShell, Azure Logic Apps, and PIM, admins can maintain access control without sacrificing functionality. Always audit changes and automate repetitive tasks to reduce errors.

Expected Output:

  • Functional Access Packages despite restrictions.
  • Automated PIM role assignments.
  • Detailed audit logs for compliance.

For deeper implementation, refer to Microsoft’s Admin Units Docs.

References:

Reported By: Nathanmcnulty Managing – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: