How to Integrate Azure with Administrative Units
This guide shows you how to set up an advanced Azure platform integration using administrative units. This approach limits meshStack's permissions to a specific scope within your Entra tenant and is recommended to improve the security of your integration.
What are Administrative Units?
Administrative Units are containers in Microsoft Entra ID (formerly Azure AD) that allow you to delegate administrative permissions to a restricted scope of resources. Instead of granting meshStack to create and manage groups in your entire tenant, you can limit its access to a specific administrative unit.
Benefits of Using a Dedicated Administrative Unit with meshStack
We recommend you create a dedicated administrative unit for meshStack in your Entra tenant.
Here's a comparison of the permissions required for meshStack's replicator service principal when using an administrative unit versus the standard integration:
| Feature | Standard Integration Permissions | Integration Permissions with Administrative Units |
|---|---|---|
| User Discovery for Group Membership | Directory.Read.All tenant scope Read all users and groups | User.Read.All and AdministrativeUnit.Read.All tenant scope Read all users and administrative units |
| Manage Groups | Group.ReadWrite.All tenant scope Create and delete groups, manage membership | Groups Administrator administrative unit scope Create and delete groups, manage membership only within the administrative unit |
| Invite Users (Azure B2B) | User.Invite.All tenant scope Optional, invite AAD B2B guest users into the tenant | User.Invite.All tenant scope Optional, invite AAD B2B guest users into the tenant |
*Azure does not sufficiently support assigning users to an administrative unit managed by meshStack.
Prerequisites
- Complete the standard Azure integration first
- Global Administrator or Privileged Role Administrator access to your Entra tenant to create the Administrative Unit
- You need an Entra Premium P1 or P2 license to use Administrative Units
Step-by-Step Setup Guide
1. Create an Administrative Unit
First, you'll create an Administrative Unit to contain all meshStack-managed identities:
- Sign in to the Microsoft Entra admin center with appropriate permissions
- Navigate to Identity > Roles & admins > Administrative units
- Click New administrative unit
- Configure the Administrative Unit:
- Name:
meshStack-Users(or your preferred naming convention) - Description:
Administrative Unit for meshStack managed users and groups - Membership Type: Assigned Users to enable group management in the administrative unit
- Name:
- Click Create
- Go to Roles and Administrators and assign the
Groups Administratorrole to the Replication Service Principal created during the standard Azure integration.- This allows meshStack to create and manage groups within this administrative unit.
- Note down the Administrative Unit ID - you'll need this for configuring your Azure platform in meshStack
For automated setup, we recommend using the Azure meshPlatform Terraform Module with the administrative_unit_name variable set. This module will handle the creation of the replication service principal, the administrative unit, and proper role assignments automatically.
2. Configure the Azure Platform in meshStack
In meshStack, navigate to configuration of your platform and in the
Replication Behavior section under Administrative Unit ID insert the id of
the administrative unit you created in the previous step.