Add users, groups, or devices to an administrative unit

Important

Administrative units support for devices is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

In Azure Active Directory (Azure AD), you can add users, groups, or devices to an administrative unit to restrict the scope of role permissions. Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group. For additional details on what scoped administrators can do, see Administrative units in Azure Active Directory.

This article describes how to add users, groups, or devices to administrative units manually. For information about how to add users or devices to administrative units dynamically using rules, see Manage users or devices for an administrative unit with dynamic membership rules.

Prerequisites

  • Azure AD Premium P1 or P2 license for each administrative unit administrator
  • Azure AD Free licenses for administrative unit members
  • Privileged Role Administrator or Global Administrator
  • AzureAD module when using PowerShell
  • AzureADPreview module when using PowerShell for devices
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal

You can add users, groups, or devices to administrative units using the Azure portal. You can also add users in a bulk operation or create a new group in an administrative unit.

Add a single user, group, or device to administrative units

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory.

  3. Select one of the following:

    • Users
    • Groups
    • Devices > All devices
  4. Select the user, group, or device you want to add to administrative units.

  5. Select Administrative units.

  6. Select Assign to administrative unit.

  7. In the Select pane, select the administrative units and then select Select.

    Screenshot of the Administrative units page for adding a user to an administrative unit.

Add users, groups, or devices to a single administrative unit

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory.

  3. Select Administrative units and then select the administrative unit you want to add users, groups, or devices to.

  4. Select one of the following:

    • Users
    • Groups
    • Devices
  5. Select Add member, Add, or Add device.

  6. In the Select pane, select the users, groups, or devices you want to add to the administrative unit and then select Select.

    Screenshot of adding multiple devices to an administrative unit.

Add users to an administrative unit in a bulk operation

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory.

  3. Select Administrative units and then select the administrative unit you want to add users to.

  4. Select the administrative unit to which you want to add users.

  5. Select Users > Bulk operations > Bulk add members.

    Screenshot of the Users page for assigning users to an administrative unit as a bulk operation.

  6. In the Bulk add members pane, download the comma-separated values (CSV) template.

  7. Edit the downloaded CSV template with the list of users you want to add.

    Add one user principal name (UPN) in each row. Don't remove the first two rows of the template.

  8. Save your changes and upload the CSV file.

    Screenshot of an edited CSV file for adding users to an administrative unit in bulk.

  9. Select Submit.

Create a new group in an administrative unit

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory.

  3. Select Administrative units and then select the administrative unit you want to create a new group in.

  4. Select Groups.

  5. Select New group and complete the steps to create a new group.

    Screenshot of the Administrative units page for creating a new group in an administrative unit.

PowerShell

Use the Add-AzureADMSAdministrativeUnitMember command to add users or groups to an administrative unit.

Use the Add-AzureADMSAdministrativeUnitMember (Preview) command to add devices to an administrative unit.

Use the New-AzureADMSAdministrativeUnitMember (Preview) to create a new group in an administrative unit. Currently, only group creation is supported with this command.

Add users to an administrative unit

$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
$userObj = Get-AzureADUser -Filter "UserPrincipalName eq 'bill@example.com'"
Add-AzureADMSAdministrativeUnitMember -Id $adminUnitObj.Id -RefObjectId $userObj.ObjectId

Add groups to an administrative unit

$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
$groupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"
Add-AzureADMSAdministrativeUnitMember -Id $adminUnitObj.Id -RefObjectId $groupObj.ObjectId

Add devices to an administrative unit

$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
$deviceObj = Get-AzureADDevice -Filter "displayname eq 'TestDevice'"
Add-AzureADMSAdministrativeUnitMember -Id $adminUnitObj.Id -RefObjectId $deviceObj.ObjectId

Create a new group in an administrative unit

$exampleGroup = New-AzureADMSAdministrativeUnitMember -Id "<admin unit object id>" -OdataType "Microsoft.Graph.Group" -DisplayName "<Example group name>" -Description "<Example group description>" -MailEnabled $True -MailNickname "<examplegroup>" -SecurityEnabled $False -GroupTypes @("Unified")

Microsoft Graph API

Use the Add a member API to add users or groups to an administrative unit.

Use the Add a member (Beta) API to add devices to an administrative unit or create a new group in an administrative unit.

Add users to an administrative unit

Request

POST https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}/members/$ref

Body

{
    "@odata.id":"https://graph.microsoft.com/v1.0/users/{user-id}"
}

Example

{
    "@odata.id":"https://graph.microsoft.com/v1.0/users/john@example.com"
}

Add groups to an administrative unit

Request

POST https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}/members/$ref

Body

{
    "@odata.id":"https://graph.microsoft.com/v1.0/groups/{group-id}"
}

Example

{
    "@odata.id":"https://graph.microsoft.com/v1.0/groups/871d21ab-6b4e-4d56-b257-ba27827628f3"
}

Add devices to an administrative unit

Request

POST https://graph.microsoft.com/beta/administrativeUnits/{admin-unit-id}/members/$ref

Body

{
    "@odata.id":"https://graph.microsoft.com/beta/devices/{device-id}"
}

Create a new group in an administrative unit

Request

POST https://graph.microsoft.com/beta/administrativeUnits/{admin-unit-id}/members/

Body

{
    "@odata.type": "#Microsoft.Graph.Group",
    "description": "{Example group description}",
    "displayName": "{Example group name}",
    "groupTypes": [
        "Unified"
    ],
    "mailEnabled": true,
    "mailNickname": "{examplegroup}",
    "securityEnabled": false
}

Next steps