Manage administrative units in Azure Active Directory

For more granular administrative control in Azure Active Directory (Azure AD), you can assign users to an Azure AD role with a scope that's limited to one or more administrative units.

Get started

  1. To run queries from the following instructions via Graph Explorer, do the following:

    a. In the Azure portal, go to Azure AD.

    b. In the applications list, select Graph explorer.

    c. On the Permissions pane, select Grant admin consent for Graph explorer.

    Screenshot showing the "Grant admin consent for Graph explorer" link.

  2. Use Azure AD PowerShell.

Add an administrative unit

You can add an administrative unit by using either the Azure portal or PowerShell.

Use the Azure portal

  1. In the Azure portal, go to Azure AD. Then, on the left pane, select Administrative units.

    Screenshot of the "Administrative units" link in Azure AD.

  2. Select the Add button at the upper part of the pane, and then, in the Name box, enter the name of the administrative unit. Optionally, add a description of the administrative unit.

    Screenshot showing the Add button and the Name box for entering the name of the administrative unit.

  3. Select the blue Add button to finalize the administrative unit.

Use PowerShell

Install Azure AD PowerShell before you try to run the following commands:

Connect-AzureAD
New-AzureADMSAdministrativeUnit -Description "West Coast region" -DisplayName "West Coast"

You can modify the values that are enclosed in quotation marks, as required.

Use Microsoft Graph

Http Request
POST /administrativeUnits
Request body
{
  "displayName": "North America Operations",
  "description": "North America Operations administration"
}

Remove an administrative unit

In Azure AD, you can remove an administrative unit that you no longer need as a unit of scope for administrative roles.

Use the Azure portal

  1. In the Azure portal, go to Azure AD, and then select Administrative units.
  2. Select the administrative unit to be deleted, and then select Delete.
  3. To confirm that you want to delete the administrative unit, select Yes. The administrative unit is deleted.

Screenshot of the administrative unit Delete button and confirmation window.

Use PowerShell

$delau = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'DeleteMe Admin Unit'"
Remove-AzureADMSAdministrativeUnit -ObjectId $delau.ObjectId

You can modify the values that are enclosed in quotation marks, as required for the specific environment.

Use the Graph API

HTTP request
DELETE /administrativeUnits/{Admin id}
Request body
{}

Next steps