Edit

Limiting the Scope of RealmJoin Portal

Use of Administrative Units with RealmJoin

RealmJoin Portal supports Microsoft Entra ID Administrative Units (AU).

Restricted Management Administrative Unit

To hide/protect some sensitive groups from RealmJoin, you can create a restricted management Administrative Unit in Microsoft Entra ID. After creating that restricted AU, you can assign sensitive groups to that AU and "hide" these groups from RealmJoin Portal (and everybody using the RealmJoin Portal). This is a good idea for high-sensitive groups that you want to protect, e.g. groups used for granting permissions/roles or to exclude users from certain Conditional Access Policies etc. Users and applications must explicitly be granted/added to the scope of the AU to be able to interact with groups that are "protected" by the restricted management AU.

To make use of restricted management administrative units, there are no settings needed in RealmJoin.

  • You can read more about Restricted management administrative units in Microsoft Entra ID here.

  • To create a restricted AU, you can follow Microsoft's guide here.

  • To add groups you want to protect to the restricted AU as well as administrators that you want to allow to interact with these groups, please see this guide here.

Assigning a dedicated Administrative Unit to RealmJoin Portal

To fully "encapsulate" RealmJoin Portal, you can create a dedicated AU (default non-restricted) and assign the RealmJoin Portal app to that AU. As a result, RealmJoin Portal will create groups only in that specific AU - and is also only able to interact with groups that are specifically in scope of this AU.

  • To create an AU, you can follow Microsoft's guide

  • To add groups to the AU scope so that RealmJoin is still able to interact with these groups, please see this guide

  • To assign roles with administrative unit scope, please see this guide

Enable RealmJoin to use Administrative Units

  1. Create AU in Entra (default, not restricted).

  2. In the AU, permanently assign the role "Group Administrator" to the RealmJoin Portal app (Application ID: "b0130885-16be-4c6f-83de-5b1042b5d2e3").

  3. Add the Microsoft Graph API permission "AdministrativeUnit.Read.All" (type "Application") to the RealmJoin Portal app (Application ID: "b0130885-16be-4c6f-83de-5b1042b5d2e3").

  4. Especially if you already use the RealmJoin Portal, move all groups that RealmJoin should be able to interact with to the scope of the AU (e.g. existing app groups or permission groups).

  5. Create a ticket with the RealmJoin Support and provide the ObjectID of the AU you created.

  6. Wait for verification from RealmJoin Support.

  7. Now you can safely remove the following application permissions from the RealmJoin Portal app (Application ID: "b0130885-16be-4c6f-83de-5b1042b5d2e3") as these are not AU-aware: "Group.ReadWrite.All" & "GroupMember.ReadWrite.All" Instead the Entra Role "Group Administrator" is used. Make sure that you added the role beforehand (Step 2).

Please keep in mind that you can only add/remove the Microsoft Graph API permissions via Graph!

You can use the Grant-Script from the RealmJoin Portal features page shown below to add the "AdministrativeUnit.Read.All" permission.

  • Copy the script, add the permission in the marked $permissions section, execute the script, confirm execution in the Portal.

  • RealmJoin will automatically check for the new permission and will display it in the granted section.

  • For removal of "Group.ReadWrite.All" & "GroupMember.ReadWrite.All" you can use the "Revoke" option next to the permissions to generate a script only for that specific permission.

Last updated

Was this helpful?