Microsoft Entra IDMicrosoft Technologies

Step-by-Step Guide to create Organizational Unit (OU) in Microsoft Entra Domain Service

Organizational unit in active directory is a container where you can place users, computers, groups and other organization units even. Organizational Unit are helps to create logical structure of the AD. You can use it to assign group policies and manage the resources.  This is common procedure in in-house domain environment, but what about the Azure managed domain? Can engineers use same method?

Answer is YES, but with some limitations. It is managed domain so you do not have full control over the functions such as complex group policies etc. I will explain those in later article but for the Organizational units, we can create those and manage those in azure managed domain. There is no option in azure portal to create this, this need to be created using a PC, server which is connected to the Azure Ad managed domain.

I wrote an article about adding a VM to the Azure managed domain. It is good place to start with http://www.rebeladmin.com/2016/05/step-step-guide-manage-azure-active-directory-domain-service-aad-ds-managed-domain-using-virtual-server/ . To create Organizational Unit, you must have this done before start.

You also need be a member of AAD DC Administrators group.

Create Organizational Unit (OU)

In my demo I am using a windows 2016 TP5 server which is connected to managed domain. Also I logged in as a member of AAD DC Administrators group.

VM proprties

Also I have already installed AD DS and AD LDS Tools (Remote server administration tools > Role administration tools > AD DS and AD LDS Tools)

add AD tools

To start the process, go to Server Manager > Tools > Active Directory Administrative Center

access ADAC

In left hand side in the console click on the managed domain

list Organizational Units

In the right hand under the Tasks click on New > Organizational Unit

add Organizational Units

In next window we can provide the information about new OU and click OK to complete.

Organizational Units settings

Then you can see the new OU added.

new Organizational Unit

By default the user account I used for to create the OU got full permissions to control the OU.

Organizational Unit permission

Now you can create new users, groups under this OU. But keep in mind you CANNOT move any users, groups which is already under AADDC users OU. It’s the default OU for the users, groups added via azure portal.

Organizational Unit properties

Also the users and groups added under new OU will not be visible on azure portal. It’s only valid inside the managed domain environment.

More info https://learn.microsoft.com/en-us/entra/identity/domain-services/create-ou

Hope this article was helpful. If you got any questions feel free to contact me on rebeladm@live.com

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Process Entra ID Entitlement Management Access Package on-behalf of another user (preview)

Entra ID Entitlement Management access packages enable administrators to offer a self-service…
Read more
Cyber SecurityMicrosoft Entra ID

Step-by-Step Guide: Configure Entra ID lifecycle workflow to use Custom Security Attributes

In my previous blog post, I explained how to use Entra ID lifecycle workflow to trigger actions…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes

The Entra ID lifecycle workflow is a feature of Microsoft Entra ID identity governance and Microsoft…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *