Directory objects like groups and Organizational Units can have an owner. Natively, on-premises AD objects can have one owner whereas Azure AD objects can have multiple owners. However, Adaxes enables you to assign multiple owners to any object from any managed domain.
For all intents and purposes, all object owners are equal. For example, if a security role grants rights over a specific group to the Owner (Managed By) security principal, all owners of that group will have equal rights. If an operation is sent for approval to owners of an object, all owners can approve it. Although owners are equal, Adaxes handles them slightly differently for on-premises domains and Azure AD domains.
On-premises Active Directory
Adaxes defines a primary owner and secondary owners for objects from on-premises domains.
- The primary owner is stored in the managedBy property in Active Directory. In Adaxes, the property display name is Managed By (Primary).
- Secondary owners are stored in Adaxes and can be accessed only from Adaxes. They are stored in the adm-ManagedByList property whose display name is Managed By.
The adm-Owners calculated property can be used to get both, primary and secondary owners of an object at the same time. The property is read-only.
Because the primary owner is stored in AD, native AD restrictions of who can be an owner of an object apply. For instance, the object and its owner must be from the same forest. Secondary owners are stored in Adaxes hence you have a greater degree of freedom – any user or group can be a secondary owner of any object, regardless of which domain or even forest they are from.
All owners are stored directly in Azure AD. In Adaxes, owners of an object can be accessed via the adm-ManagedByList property of that object. The property display name is Managed By.
Because of Azure AD restrictions, only users can be assigned as owners of Microsoft 365 and Security groups. Distribution and Mail-enabled security groups however, can be owned by users or groups.
Adaxes allows you to create Organizational Units for Azure AD domains. These OUs are stored in Adaxes, and therefore can be owned by any user or group from any domain managed by Adaxes.
In hybrid environments, where objects are synchronized between on-premises AD and Azure AD, there are additional limitations on assigning object owners.
If an Azure AD group is synchronized with on-premises AD:
- Owners can be assigned only if the group is mail-enabled in Exchange.
- Only users can be assigned as owners of such groups.