Azure Identity And Access Management Part 30 – Azure Active Directory – Domain Service ( Azure AD-DS) 5 – Create An Organizational Unit (OU)

Hello Friends,

Hope you all are safe and doing good !!!

In our last articles we have discussed , how to Install Management Tools In A Domain Joined VM. Today In this article, we will continue with Azure AD DS and will see How to Create An Organizational Unit (OU).

If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.

Part 1 – Azure Active Directory – Overview

Part 2 – Azure Active Directory – Enterprise Users

Part 3 – Azure Active Directory – Create Custom Directory Role & Assign Role using Power-Shell

• *
• *
• *

Part 20 – Azure Active Directory – Entitlement Management 2 – Entitlement Management Roles 1 – Administrator And Catalog Creator

Part 21 – Azure Active Directory – Entitlement Management 3 – Entitlement Management Roles 2 – Access Package Manager

Part 22 – Azure Active Directory – Entitlement Management 4 – Entitlement Management Roles 3 – Requestor And Approver

Part 23 – Azure Active Directory – Terms Of Use

Part 25 – Azure Active Directory – Identity Governance

Part 26 – Azure Active Directory – Domain Service ( Azure AD-DS) 1 – Overview

Part 27 – Azure Active Directory – Domain Service ( Azure AD DS) 2 – Configure An Azure AD DS Managed Domain

Part 28 – Azure Active Directory – Domain Service ( Azure AD-DS) 3 – Join Windows Server VM To An Azure AD DS Managed Domain

Part 29 – Azure Active Directory – Domain Service ( Azure AD-DS) 4 – Install Management Tools In A Domain Joined VM

Next Article : Part 31 – Azure Active Directory – Domain Service ( Azure AD-DS) 6 – Manage Group Policy Object (GPO)

Active Directory Administrative Center :

Administrators can use Active Directory Administrative Center to perform common AD object management tasks. Using Active Directory Administrative Center, we can perform the following Active Directory administrative tasks.

• Create new user accounts or manage existing user accounts.
• Create new groups or manage existing groups.
• Create new computer accounts or manage existing computer accounts.
• Create new organizational units (OUs) and containers or manage existing OUs.
• Connect to one or several domains or domain controllers in the same instance of Active Directory Administrative Center, and view or manage the directory information for those domains or domain controllers.
• Filter Active Directory data by using query-building search.

Active Directory Organizational Unit (OU) :

Organizational unit in active directory is a container where we can place users, computers, groups and other organization units even. OU are helps to create logical structure of the AD. We can use it to assign group policies and manage the resources.

There are following two built-in default Organizational unit created when we configured Azure AD DS managed domains.

• AADDC Computers - contains computer objects for all computers that are joined to the managed domain.
• AADDC Users - includes users and groups synchronized in from the Azure AD tenant.

Create A Custom Organizational Unit OU :

In our last article, we have discussed how to install Active Directory Administrative Tools in a domain-joined VM. Using Active Directory Administrative Center tool, we can view, edit, and create resources in a managed domain, including OU.

Prerequisite :

Before we proceed to create our custom Organization Unit, we need the following resources and privileges.

• An Azure Active Directory Domain Services managed domain enabled and configured in our Azure AD tenant
• A Windows Server management VM that is joined to the Azure AD DS managed domain.
• All Administrative tools installed in the domain joined VM.
• A user account that’s a member of the Azure AD DC administrators group in our Azure AD tenant.

In the following figure it is showing ,there are two user in the ADD DC Administrators group. In today’s lab , we are going to use ‘Uday Joshi‘ account.

Lab Exercise :

Let’s go through the following steps to create a custom Organisational Unit for our Knowledge Junction unit in Managed Domain.

Step 1 – Login to Azure Portal and Create a new Window Server Virtual Machine (VM) under same VNet where we have configured our Azure AD DS but make sure we are creating the VM in different subnet. I have created a virtual machine named as ‘Manas-AADDS’.

Step 2 – Let’s connect the VM. As we an see in the following figure, there are different ways to connect with VM. Here I am connecting the VM through BASTION . In the Overview pane for our VM, select Connect, then Bastion => provide the credentials of an user, who is a member of built-in ADD DC Administrators group and click Connect to connect the VM.

Step 3 – After we connected to the VM, select Administrative Tools from the Start screen. A list of available management tools is shown that were installed in our previous article to configure a management VM.

Step 4 – Select Active Directory Administrative Center from the list of administrative tools to create and manage OU as shown in the above figure.

Step 5 – From the left menu, let’s select our managed domain, In our case  manasmoharana.onmicrosoft.com. It will show a list of existing OUs and resources as shown in the following figure.

Step 6 – Now to create a custom OU, from the Tasks pane shown on the right side of the Active Directory Administrative Center, select New > Organizational Unit as shown in the following figure.

Step 7 – In the Create Organizational Unit window, specify a Name for our new OU, such as knowledge Junction and a short description for the OU. If we want, we can also set the Managed By field for the OU. To create the custom OU, select OK.

Step 8 – Once we successfully created the custom OU, the window will send back to Active Directory Administrative Center, where we can see the custom OU now listed and is available as showing in the following figure.

Once we created our custom Organization Unit, we can add user and groups to the OU. As we can see in the following figure, options are available for the same.

Create New User In Organization Unit :

To create a New User under the OU, we should click on New => User. Then it will open a new wizard as showing in the following figure. In that wizard, we need to provide User Name, Description and other required information before click OK button. But this user can not move to Azure AD from managed domain.

Create New Group In Organization Unit :

To create a New Group under the OU, we should click on New => Group. Then it will open a new wizard as showing in the following figure. In that wizard, we need to provide Group Name, Description, Group Type and other required information before click OK button. But this group can not move to Azure AD from managed domain.

We can see all users and groups created under Knowledge Junction OU as shown in the following figure.

With the above information, I am concluding this article. Hope this post helps you. As I am exploring the Azure Identity and Access Management (IAM) in a detail level specially with active directory . Please let me know if I missed anything important or if my understanding is not up to mark.

Next Article : Part 31 – Azure Active Directory – Domain Service ( Azure AD-DS) 6 – Manage Group Policy Object (GPO)

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.

Thanks for reading 🙂