Create or delete administrative units

Administrative units let you subdivide your organization into any unit that you want, and then assign specific administrators that can manage only the members of that unit. For example, you could use administrative units to delegate permissions to administrators of each school at a large university, so they could control access, manage users, and set policies only in the School of Engineering.

This article describes how to create or delete administrative units to restrict the scope of role permissions in Azure Active Directory (Azure AD).

Prerequisites

  • Azure AD Premium P1 or P2 license for each administrative unit administrator
  • Azure AD Free licenses for administrative unit members
  • Privileged Role Administrator or Global Administrator
  • AzureAD module when using PowerShell
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Create an administrative unit

You can create a new administrative unit by using either the Azure portal, PowerShell or Microsoft Graph.

Azure portal

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory > Administrative units.

    Screenshot of the Administrative units page in Azure AD.

  3. Select Add.

  4. In the Name box, enter the name of the administrative unit. Optionally, add a description of the administrative unit.

    Screenshot showing the Add administrative unit page and the Name box for entering the name of the administrative unit.

  5. Optionally, on the Assign roles tab, select a role and then select the users to assign the role to with this administrative unit scope.

    Screenshot showing the Add assignments pane to add role assignments with this administrative unit scope.

  6. On the Review + create tab, review the administrative unit and any role assignments.

  7. Select the Create button.

PowerShell

Use the New-AzureADMSAdministrativeUnit command to create a new administrative unit.

New-AzureADMSAdministrativeUnit -Description "West Coast region" -DisplayName "West Coast"

Microsoft Graph API

Use the Create administrativeUnit API to create a new administrative unit.

Request

POST https://graph.microsoft.com/v1.0/directory/administrativeUnits

Body

{
  "displayName": "North America Operations",
  "description": "North America Operations administration"
}

Delete an administrative unit

In Azure AD, you can delete an administrative unit that you no longer need as a unit of scope for administrative roles. Before you delete the administrative unit, you should remove any role assignments with that administrative unit scope.

Azure portal

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory > Administrative units and then select the administrative unit you want to delete.

  3. Select Roles and administrators, and then open a role to view the role assignments.

  4. Remove all the role assignments with the administrative unit scope.

  5. Select Azure Active Directory > Administrative units.

  6. Add a check mark next to the administrative unit you want to delete.

  7. Select Delete.

    Screenshot of the administrative unit Delete button and confirmation window.

  8. To confirm that you want to delete the administrative unit, select Yes.

PowerShell

Use the Remove-AzureADMSAdministrativeUnit command to delete an administrative unit.

$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'DeleteMe Admin Unit'"
Remove-AzureADMSAdministrativeUnit -Id $adminUnitObj.Id

Microsoft Graph API

Use the Delete administrativeUnit API to delete an administrative unit.

DELETE https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}

Next steps