{"id":31079737,"url":"https://github.com/compcode1/assign-ua-role-au-scope","last_synced_at":"2025-09-16T10:59:24.271Z","repository":{"id":310694546,"uuid":"1040851319","full_name":"Compcode1/assign-ua-role-au-scope","owner":"Compcode1","description":"This micro-project simulates assigning the User Administrator role scoped to a specific Administrative Unit (AU) in Microsoft Entra ID. It reinforces key principles of delegated identity management, scope limitation, and governance hygiene as defined by the Entra Control Stack model.","archived":false,"fork":false,"pushed_at":"2025-08-19T16:28:25.000Z","size":7,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-19T18:36:18.927Z","etag":null,"topics":["au-configuration","auditability","least-privilege","role-scoping","ua-role"],"latest_commit_sha":null,"homepage":"","language":"Jupyter Notebook","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Compcode1.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-08-19T15:45:07.000Z","updated_at":"2025-08-19T16:28:28.000Z","dependencies_parsed_at":"2025-08-19T18:36:21.525Z","dependency_job_id":"382b2c73-156e-4236-bdf7-6d6adf3d9319","html_url":"https://github.com/Compcode1/assign-ua-role-au-scope","commit_stats":null,"previous_names":["compcode1/assign-ua-role-au-scope"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/Compcode1/assign-ua-role-au-scope","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fassign-ua-role-au-scope","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fassign-ua-role-au-scope/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fassign-ua-role-au-scope/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fassign-ua-role-au-scope/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Compcode1","download_url":"https://codeload.github.com/Compcode1/assign-ua-role-au-scope/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fassign-ua-role-au-scope/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275407724,"owners_count":25459379,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-16T02:00:10.229Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["au-configuration","auditability","least-privilege","role-scoping","ua-role"],"created_at":"2025-09-16T10:59:19.539Z","updated_at":"2025-09-16T10:59:24.262Z","avatar_url":"https://github.com/Compcode1.png","language":"Jupyter Notebook","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Assign User Administrator Role at Administrative Unit (AU) Scope\n\nThis micro-project simulates assigning the **User Administrator** role scoped to a specific **Administrative Unit (AU)** in Microsoft Entra ID. It reinforces key principles of delegated identity management, scope limitation, and governance hygiene as defined by the Entra Control Stack model.\n\n## 🧭 Scenario\n\nWe need to delegate user management responsibilities for the **Marketing Department** without granting tenant-wide administrative privileges. To do this, we’ll scope the **User Administrator** role to the **Marketing AU**, ensuring localized control and minimizing risk of over-privilege.\n\n## 🔧 Step-by-Step Action Flow (Simulated)\n\n- Navigate to **Microsoft Entra Admin Center** → **Identity** → **Administrative Units**\n- Select or create the **Marketing AU**\n- Add a user (e.g., `julia_admin@contoso.com`) to the AU\n- Go to **Roles and administrators**\n- Assign the **User Administrator** role, scoped specifically to the **Marketing AU**\n- Confirm that `julia_admin@contoso.com` appears under role assignments for that AU\n\n## 🔐 Entra Control Stack Mapping\n\n| Layer | Description |\n|-------|-------------|\n| **Layer 1 – Authority Definition** | ✅ Confirmed via Global Admin or Privileged Role Admin initiating the scoped role assignment |\n| **Layer 2 – Scope Boundaries** | ✅ Primary control layer. AU used to limit the scope of User Administrator privileges |\n| **Layer 3 – Test Identity Validation** | ✅ Confirm `julia_admin` can manage users within the AU but cannot access users outside it |\n| **Layer 4 – External Entry Controls** | ❌ Not affected. This scenario deals with internal delegation |\n| **Layer 5 – Privilege Channels** | ✅ Scoped role assignment is a governed privilege channel |\n| **Layer 6 – Device Trust Enforcement** | ❌ Not impacted. No Conditional Access or device policy applied in this simulation |\n| **Layer 7 – Continuous Verification** | ✅ Role assignment should be periodically reviewed via Access Reviews and audit logs |\n\n## 📌 Observations and Best Practices\n\n- Scoped roles via Administrative Units provide granular control over identity management tasks\n- Role assignment should always be documented and reviewed regularly\n- Logging and Access Reviews should be configured to support visibility and audit compliance\n\n## 📚 Part of the Entra Control Stack: Micro-Project Series\n\nThis project is part of a 5-part series designed to simulate real-world identity governance tasks within Microsoft Entra ID. Each project maps directly to the **seven-layer Entra Control Stack** to reinforce security architecture and operational integrity.\n\n## ✅ Series Progress\n\n- [x] Project 1 – Add a New Guest User  \n- [x] Project 2 – Change a Global Administrator to a Privileged Role Administrator  \n- [x] **Project 3 – Assign User Administrator Role at AU Scope** ← *This project*  \n- [ ] Project 4 – Remove a Stale User Account  \n- [ ] Project 5 – Create a Group and Assign Role\n\n---\n\nGitHub repo: https://github.com/CompCode1/assign-ua-role-au-scope\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompcode1%2Fassign-ua-role-au-scope","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcompcode1%2Fassign-ua-role-au-scope","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompcode1%2Fassign-ua-role-au-scope/lists"}