AADAdministrativeUnit

Parameters

Parameter Attribute DataType Description Allowed Values
DisplayName Key String DisplayName of the Administrative Unit
Id Write String Object-Id of the Administrative Unit
Description Write String Description of the Administrative Unit
Visibility Write String Visibility of the Administrative Unit. Specify HiddenMembership if members of the AU are hidden
IsMemberManagementRestricted Write Boolean Indicates whether the management rights on resources in the administrative units should be restricted to ONLY the administrators scoped on the administrative unit object.
MembershipType Write String Specify membership type. Possible values are Assigned and Dynamic. Note that the functionality is currently in preview.
MembershipRule Write String Specify membership rule. Requires that MembershipType is set to Dynamic. Note that the functionality is currently in preview.
MembershipRuleProcessingState Write String Specify dynamic membership-rule processing-state. Valid values are 'On' and 'Paused'. Requires that MembershipType is set to Dynamic. Note that the functionality is currently in preview.
Members Write MSFT_MicrosoftGraphMember[] Specify members. Only specify if MembershipType is NOT set to Dynamic
ScopedRoleMembers Write MSFT_MicrosoftGraphScopedRoleMembership[] Specify Scoped Role Membership. Note: Any groups must be role-enabled
Ensure Write String Present ensures the Administrative Unit exists, absent ensures it is removed. Present, Absent
Credential Write PSCredential Credentials of the Intune Admin
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret Write PSCredential Secret of the Azure Active Directory application to authenticate with.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
ManagedIdentity Write Boolean Managed ID being used for authentication.
AccessTokens Write StringArray[] Access token used for authentication.

MSFT_MicrosoftGraphMember

Parameters

Parameter Attribute DataType Description Allowed Values
Identity Write String Identity of member. For users, specify a UserPrincipalName. For groups, devices and serviceprincipals, specify DisplayName
Type Write String Specify User, Group or Device to interpret the identity for Members. Specify User, Group or ServicePrincipal for ScopedRoleMembers. User, Group, Device, ServicePrincipal

MSFT_MicrosoftGraphScopedRoleMembership

Parameters

Parameter Attribute DataType Description Allowed Values
RoleName Write String Name of the Azure AD Role that is assigned. See https://learn.microsoft.com/en-us/azure/active-directory/roles/admin-units-assign-roles#roles-that-can-be-assigned-with-administrative-unit-scope
RoleMemberInfo Write MSFT_MicrosoftGraphMember Member that is assigned the scoped role. Note: Any groups must be role-enabled

Description

This resource configures an Azure AD Administrative Unit.

Permissions

Microsoft Graph

To authenticate with the Microsoft Graph API, this resource required the following permissions:

Delegated permissions

  • Read

    • AdministrativeUnit.Read.All, RoleManagement.Read.Directory
  • Update

    • AdministrativeUnit.Read.All, AdministrativeUnit.ReadWrite.All, Application.Read.All, Device.Read.All, Group.Read.All, RoleManagement.Read.Directory, User.Read.All

Application permissions

  • Read

    • AdministrativeUnit.Read.All, RoleManagement.Read.Directory
  • Update

    • AdministrativeUnit.Read.All, AdministrativeUnit.ReadWrite.All, Application.Read.All, Device.Read.All, Group.Read.All, RoleManagement.Read.Directory, User.Read.All

Examples

Example 1

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )

    Import-DscResource -ModuleName Microsoft365DSC
    node localhost
    {
        AADAdministrativeUnit 'TestUnit'
        {
            DisplayName                   = 'Test-Unit'
            Description                   = 'Test Description'
            MembershipRule                = "(user.country -eq `"Canada`")"
            MembershipRuleProcessingState = 'On'
            MembershipType                = 'Dynamic'
            IsMemberManagementRestricted  = $False;
            ScopedRoleMembers             = @(
                MSFT_MicrosoftGraphScopedRoleMembership
                {
                    RoleName       = 'User Administrator'
                    RoleMemberInfo = MSFT_MicrosoftGraphMember
                    {
                        Identity = "admin@$TenantId"
                        Type     = "User"
                    }
                }
            )
            ApplicationId         = $ApplicationId
            TenantId              = $TenantId
            CertificateThumbprint = $CertificateThumbprint
        }
    }
}

Example 2

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )

    Import-DscResource -ModuleName Microsoft365DSC
    node localhost
    {
        AADAdministrativeUnit 'TestUnit'
        {
            DisplayName                   = 'Test-Unit'
            Description                   = 'Test Description Updated' # Updated Property
            Visibility                    = 'Public'
            MembershipRule                = "(user.country -eq `"US`")" # Updated Property
            MembershipRuleProcessingState = 'On'
            MembershipType                = 'Dynamic'
            IsMemberManagementRestricted  = $False
            ScopedRoleMembers             = @(
                MSFT_MicrosoftGraphScopedRoleMembership
                {
                    RoleName       = 'User Administrator'
                    RoleMemberInfo = MSFT_MicrosoftGraphMember
                    {
                        Identity = "AdeleV@$TenantId" # Updated Property
                        Type     = "User"
                    }
                }
            )
            ApplicationId         = $ApplicationId
            TenantId              = $TenantId
            CertificateThumbprint = $CertificateThumbprint
        }
    }
}

Example 3

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )

    Import-DscResource -ModuleName Microsoft365DSC
    node localhost
    {
        AADAdministrativeUnit 'TestUnit'
        {
            DisplayName                   = 'Test-Unit'
            Ensure                        = 'Absent'
            ApplicationId         = $ApplicationId
            TenantId              = $TenantId
            CertificateThumbprint = $CertificateThumbprint
        }
    }
}