Directory objects like groups and organizational units can have an owner. Natively, Active Directory objects can have one owner whereas Microsoft Entra objects can have multiple owners. However, Adaxes enables you to assign multiple owners to any object from any managed domain.
For all intents and purposes, all object owners are equal. For example, if a security role grants rights over a specific group to the Owner (Managed By) security principal, all owners of that group will have equal rights. If an operation is sent for approval to owners of an object, all owners can approve it. Although owners are equal, Adaxes handles them slightly differently for Active Directory domains and Microsoft Entra domains.
Adaxes defines a primary owner and secondary owners for objects from Active Directory domains.
- The primary owner is stored in the managedBy property in Active Directory. In Adaxes, the property display name is Managed By (Primary).
- Secondary owners are stored in Adaxes and can be accessed only from Adaxes. They are stored in the adm-ManagedByList property whose display name is Managed By.
The adm-Owners calculated property can be used to get both, primary and secondary owners of an object at the same time. The property is read-only.
Because the primary owner is stored in AD, native AD restrictions of who can be an owner of an object apply. For instance, the object and its owner must be from the same forest. Secondary owners are stored in Adaxes hence you have a greater degree of freedom – any user or group can be a secondary owner of any object, regardless of which domain or even forest they are from.
All owners are stored directly in Microsoft Entra ID. In Adaxes, owners of an object can be accessed via the adm-ManagedByList property of that object. The property display name is Managed By.
Because of Microsoft Entra ID restrictions, only users can be assigned as owners of Microsoft 365 and Security groups. Distribution and Mail-enabled security groups however, can be owned by users or groups.
Adaxes allows you to create organizational units for Microsoft Entra domains. These OUs are stored in Adaxes, and therefore can be owned by any user or group from any domain managed by Adaxes.
In hybrid environments, where objects are synchronized between Active Directory and Microsoft Entra ID, there are additional limitations on assigning object owners.
If a Microsoft Entra group is synchronized with Active Directory:
- Owners can be assigned only if the group is mail-enabled in Exchange.
- Only users can be assigned as owners of such groups.