Manage administrative units in Azure Active Directory

For more granular administrative control in Azure Active Directory (Azure AD), you can assign users to an Azure AD role with a scope that's limited to one or more administrative units.

Prerequisites

  • Azure AD Premium P1 or P2 license for each administrative unit administrator
  • Azure AD Free licenses for administrative unit members
  • Privileged Role Administrator or Global Administrator
  • AzureAD module when using PowerShell
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Add an administrative unit

You can add an administrative unit by using either the Azure portal or PowerShell.

Azure portal

  1. In the Azure portal, go to Azure AD. Then, on the left pane, select Administrative units.

    Screenshot of the "Administrative units" link in Azure AD.

  2. Select the Add button at the upper part of the pane, and then, in the Name box, enter the name of the administrative unit. Optionally, add a description of the administrative unit.

    Screenshot showing the Add button and the Name box for entering the name of the administrative unit.

  3. Select the blue Add button to finalize the administrative unit.

PowerShell

Connect-AzureAD
New-AzureADMSAdministrativeUnit -Description "West Coast region" -DisplayName "West Coast"

You can modify the values that are enclosed in quotation marks, as required.

Microsoft Graph API

Request

POST /administrativeUnits

Body

{
  "displayName": "North America Operations",
  "description": "North America Operations administration"
}

Remove an administrative unit

In Azure AD, you can remove an administrative unit that you no longer need as a unit of scope for administrative roles.

Azure portal

  1. In the Azure portal, go to Azure AD, and then select Administrative units.
  2. Select the administrative unit to be deleted, and then select Delete.
  3. To confirm that you want to delete the administrative unit, select Yes. The administrative unit is deleted.

Screenshot of the administrative unit Delete button and confirmation window.

PowerShell

$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'DeleteMe Admin Unit'"
Remove-AzureADMSAdministrativeUnit -Id $adminUnitObj.Id

You can modify the values that are enclosed in quotation marks, as required for the specific environment.

Microsoft Graph API

Request

DELETE /administrativeUnits/{admin-unit-id}

Body

{}

Next steps