Delegate printer administration using Azure Portal
As your Universal Print deployment scales up, it might become hard for one IT administrator to manage everything. You may want to delegate certain administrative tasks, like registering new printers or maintaining printers in a certain branch office, to specific individuals.
This is where delegated administration comes into the picture. Administrative units in Microsoft Entra ID can be used to configure rule-based permissions in your organization.
For example, you could use administrative units to let someone manage only printers within the region they support.
Prerequisites
- The user who delegates privileges must have have a Privileged Role Administrator or Global Administrator role.
- The delegated printer administrator must have an eligible Universal Print license to manage printers.
Configure administrative units
Step 1: Create the administrative unit
Refer to Create or delete administrative units for details on the various options.
- Sign in to the Azure portal with a
Privileged Role AdministratororGlobal Administratoraccount. - Select Microsoft Entra ID > Administrative units.
- Select Add.
- In the Name box, enter the name of the administrative unit. Optionally, add a description of the administrative unit.
- Select Next: Assign roles >.
- Select Printer administrator role and then select the users or groups to assign the role to with this administrative unit scope.
- On the Review + create tab, review the administrative unit and any role assignments.
- Select the Create button.
Step 2: Assign printers to be managed by the delegated administrator
Administrative units in Microsoft Entra ID offer two ways to define the set of printers that a delegated administrator can manage:
By using dynamic printer membership rules, it is possible to assign management permissions to delegated administrators based on a set of criteria. For example, an administrator could have management permissions for all printers that are in a certain location or were registered using a certain connector.
Refer to Manage users or devices for an administrative unit with dynamic membership rules for additional details.
Note
It can take some time for the list of printers in an administrative unit to be evaluated according to dynamic device membership rules.
Delegating Admin responsibilities by Universal Print connectors
After the administrative unit is initially created, go back to Administrative units.
Select the created administrative unit that you want to add printers to.
Select Properties.
In the Membership type list, select Dynamic Device.
Select Add dynamic query.
Use the rule builder to specify the dynamic membership rule. For more information, see Rule builder in the Azure portal.
In the rule builder:
Property Operator Value systemLabels Contains PrinterStandard extensionAttribute2 Starts With <connector naming schema>
Tip
Take note of the "Property" fields and values used in the dynamic query rule. These will be needed later on in the deployment process.
Delegating Admin responsibilities by printer location
After the administrative unit is initially created, go back to Administrative units.
Select the created administrative unit that you want to add printers to.
Select Properties.
In the Membership type list, select Dynamic Device.
Select Add dynamic query.
Use the rule builder to specify the dynamic membership rule. For more information, see Rule builder in the Azure portal.
In the rule builder
Property Operator Value systemLabels Contains PrinterStandard extensionAttribute3 Contains USA
Tip
Take note of the "Property" fields and values used in the dynamic query rule. These will be needed later on in the deployment process.
Sync Printer Properties
Universal Print's integration with Azure AD device objects and administrative units provide a lot of flexibility and customization in how Printer Administrator role can be delegated. By leveraging the Azure AD device object's "extensionAttributeX", organizations can pick and choose the combination of printer metadata to use to define the different printer administrator scopes.
To support this flexibility, periodic syncing of printer metadata from Universal Print to Azure AD is required. This can be done by executing a script, such as the following sample, or any other form of automation.
The following sample provides a starting reference. Modify the script to meet your own deployment needs.
Sample PowerShell Script
$ErrorActionPreference = "Stop"
Connect-MgGraph -Scopes "Directory.AccessAsUser.All", "Printer.Read.All"
$tenantId = (Get-MgContext).TenantId
Write-Host "Starting processing of Universal Print printers in tenant $tenantId"
# This streams pages of printers and does not require them to all be loaded at once.
Get-MgPrintPrinter -All -ExpandProperty "connectors" | ForEach-Object -Process {
$printer = $_
Write-Host "Fetching Azure AD device for printer $($printer.DisplayName)"
$device = Get-MgDevice -Filter "deviceId eq '$($printer.Id)'" -Top 1
# The display name of the Azure AD device is set to the initial display name
# of the printer. This sets extensionAttribute1 to the current name.
$extensionAttribute1 = "$($printer.DisplayName)"
# If the printer was registered with the Universal Print connector then the
# display name of the connector will be present in extensionAttribute2.
$extensionAttribute2 = "$($printer.Connectors[0].DisplayName)"
# If the printer has a country or region set in its location properties it
# will be set to extensionAttribute15. Other location properties can be used
# as well.
$extensionAttribute3 = "$($printer.Location.CountryOrRegion)"
$existingExtensionAttributes = $device.AdditionalProperties.extensionAttributes
if ($extensionAttribute1 -ne "$($existingExtensionAttributes.extensionAttribute1)" -or
$extensionAttribute2 -ne "$($existingExtensionAttributes.extensionAttribute2)" -or
$extensionAttribute3 -ne "$($existingExtensionAttributes.extensionAttribute3)")
{
Write-Host "Updating Azure AD device extension attributes for printer $($printer.DisplayName)"
Update-MgDevice -DeviceId $device.Id -BodyParameter @{
"extensionAttributes" = @{
"extensionAttribute1" = $extensionAttribute1
"extensionAttribute2" = $extensionAttribute2
"extensionAttribute3" = $extensionAttribute3
}
}
}
}
Note
Execution of this sample script requires the user account to be either
- A "Windows 365 Administrator" and "Printer Administrator"
- Or, a "Global Administrator"
Delegated administrator vs. Tenant administrator
Delegated and tenant administrator permissions differ beyond just which printers can be manaded. The following table summarizes the similarities and differences:
| Admin Action | Printer Admin Role | Scoped Printer Admin1 |
|---|---|---|
| Register Printer | Yes | Yes2 |
| Register Connector | Yes | Yes2 |
| Unregister Printer | Yes | Yes |
| Unregister Connector | Yes | No |
| List Printers | Yes | Yes3 |
| List Printer Shares | Yes | Yes3 |
| List Connectors | Yes | Yes3 |
| Printer Properties | Yes | Yes3 |
| Printer Share Properties | Yes | Yes3 |
| Sharing Printer | Yes | Yes |
| Printer Access Control | Yes | Yes |
| Swap Printer Share | Yes | Yes |
| View Job Status in Print Queue | Yes | Yes |
| Document Conversion | Yes | No |
| Usage and Reports | Yes | No |
*Note:
- Scoped admins can only manage the set of printer(s) defined in administrative unit configuration, unless otherwise specified.
- Scoped admins can perform the action on any printer or connector.
- Scoped admins see all printers, printer shares, and connectors, but are limited to read-only access to those outside of the Azure AU configuration.
See also
- Read Navigate Universal Print in Azure Portal to learn about other Universal Print features in Azure Portal