A customer project involved the following issue. A department manager should be able to reset the passwords for his employees who are in his team. However, the department head does not want to bother with group membership.
To meet this requirement, I worked with the following functions:
- Azure Active Directory administrative units - Dynamic user membership rules - Password Administrator Role
Important: Azure Active Directory administrative units are only available with Azure AD Premium P1 (or higher).
In order to work with the Dynamic user membership rules feature, it is important that the profiles are maintained on the accounts. What exactly do I mean by that, for example that the attribute department is "Trading" or the city is "Bern". The more attributes are configured with a value, the more detailed you can work with the "Query Rule". Let me now explain this in detail.
Let's take a look at an Azure AD account, more specifically the profile.
Now it's time to create an Administrative Unit. Let's imagine that Jon Prime is the department manager and he gets the role "Password administrator".
The Administrative Unit is created. Now it is a matter of automatically adding the members from his team (from Jon Prime) to this Administrative Unit. Now let's configure it. The first step is to navigate into the Administrative Unit.
Now Jon Prime can go to the following URL and log in.
For Jon Prime, the Administrative Unit is now visible with the members it contains. He can now reset the password for these members.
Important: But only for these members in this Administrative Unit. Not for any other accounts in the Azure Active Directory.
I hope this article was useful. Thank you for taking the time to read the article.