Add and manage groups in an administrative unit in Azure Active Directory
In Azure Active Directory (Azure AD), you can add groups to an administrative unit for a more granular administrative scope of control.
To prepare to use PowerShell and Microsoft Graph for administrative unit management, see Get started.
Add groups to an administrative unit
You can add groups to an administrative unit by using the Azure portal, PowerShell, or Microsoft Graph.
Use the Azure portal
You can assign only individual groups to an administrative unit. There is no option to assign groups as a bulk operation. In the Azure portal, you can assign a group to an administrative unit in either of two ways:
From the Groups pane:
In the Azure portal, go to Azure AD.
Select Groups, and then select the group that you want to assign to the administrative unit.
On the left pane, select Administrative units to display a list of the administrative units that the group is assigned to.
Select Assign to administrative unit.
On the right pane, select the administrative unit.
From the Administrative units > All Groups pane:
In the Azure portal, go to Azure AD.
On the left pane, select Administrative units, and then select All Groups. Any groups that are already assigned to the administrative unit are displayed on the right pane.
On the Groups pane, select Add. The right pane lists all available groups in your Azure AD organization.
Select one or more groups to be assigned to the administrative unit, and then select the Select button.
Use PowerShell
In the following example, use the Add-AzureADMSAdministrativeUnitMember cmdlet to add the group to the administrative unit. The object ID of the administrative unit and the object ID of the group to be added are taken as arguments. Change the highlighted section as required for your specific environment.
$administrative unitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
$GroupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"
Add-AzureADMSAdministrativeUnitMember -ObjectId $administrative unitObj.ObjectId -RefObjectId $GroupObj.ObjectId
Use Microsoft Graph
Run the following commands:
Http request
POST /administrativeUnits/{Admin Unit id}/members/$ref
Request body
{
"@odata.id":"https://graph.microsoft.com/v1.0/groups/{id}"
}
Example:
{
"@odata.id":"https://graph.microsoft.com/v1.0/groups/ 871d21ab-6b4e-4d56-b257-ba27827628f3"
}
View a list of groups in an administrative unit
Use the Azure portal
In the Azure portal, go to Azure AD.
On the left pane, select Administrative units, and then select the administrative unit whose groups you want to view. By default, All users is selected on the left pane.
On the left pane, select Groups. The right pane displays a list of groups that are members of the selected administrative unit.
Use PowerShell
To display a list of all the members of the administrative unit, run the following command:
$administrative unitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
Get-AzureADMSAdministrativeUnitMember -ObjectId $administrative unitObj.ObjectId
To display all the groups that are members of the administrative unit, use the following code snippet:
foreach ($member in (Get-AzureADMSAdministrativeUnitMember -ObjectId $administrative unitObj.ObjectId))
{
if($member.ObjectType -eq "Group")
{
Get-AzureADGroup -ObjectId $member.ObjectId
}
}
Use Microsoft Graph
Run the following command:
HTTP request
GET /directory/administrativeUnits/{Admin id}/members/$/microsoft.graph.group
Request body
{}
View a list of administrative units for a group
Use the Azure portal
In the Azure portal, go to Azure AD.
On the left pane, select Groups to display a list of groups.
Select a group to open the group's profile.
On the left pane, select Administrative units to list all the administrative units where the group is a member.
Use PowerShell
Run the following command:
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $groupObjId} }
Use Microsoft Graph
Run the following command:
https://graph.microsoft.com/v1.0/groups/<group-id>/memberOf/$/Microsoft.Graph.AdministrativeUnit
Remove a group from an administrative unit
Use the Azure portal
You can remove a group from an administrative unit in the Azure portal in either of two ways:
Remove it from a group overview:
In the Azure portal, go to Azure AD.
On the left pane, select Groups, and then open the profile for the group you want to remove from an administrative unit.
On the left pane, select Administrative units to list all the administrative units that the group is assigned to.
Select the administrative unit that you want to remove the group from, and then select Remove from administrative unit.
Remove it from an administrative unit:
- In the Azure portal, go to Azure AD.
- On the left pane, select Administrative units, and then select the administrative unit that the group is assigned to.
- On the left pane, select Groups to list all the groups that are assigned to the administrative unit.
- Select the group that you want to remove, and then select Remove groups.
Use PowerShell
Run the following command:
Remove-AzureADMSAdministrativeUnitMember -ObjectId $auId -MemberId $memberGroupObjId
Use Microsoft Graph
Run the following command:
https://graph.microsoft.com/v1.0/directory/AdministrativeUnits/<adminunit-id>/members/<group-id>/$ref