Assign Microsoft Entra roles with administrative unit scope

In Microsoft Entra ID, for more granular administrative control, you can assign a Microsoft Entra role with a scope that's limited to one or more administrative units. When a Microsoft Entra role is assigned at the scope of an administrative unit, role permissions apply only when managing members of the administrative unit itself, and don't apply to tenant-wide settings or configurations.

For example, an administrator who is assigned the Groups Administrator role at the scope of an administrative unit can manage groups that are members of the administrative unit, but they can't manage other groups in the tenant. They also can't manage tenant-level settings related to groups, such as expiration or group naming policies.

This article describes how to assign Microsoft Entra roles with administrative unit scope.

Prerequisites

  • Microsoft Entra ID P1 or P2 license for each administrative unit administrator
  • Microsoft Entra ID Free licenses for administrative unit members
  • Privileged Role Administrator
  • Microsoft Graph PowerShell module when using PowerShell
  • Admin consent when using Graph Explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Roles that can be assigned with administrative unit scope

The following Microsoft Entra roles can be assigned with administrative unit scope. Additionally, any custom role can be assigned with administrative unit scope as long as the custom role's permissions include at least one permission relevant to users, groups, or devices.

Role Description
Authentication Administrator Has access to view, set, and reset authentication method information for any non-admin user in the assigned administrative unit only.
Cloud Device Administrator Limited access to manage devices in Microsoft Entra ID.
Groups Administrator Can manage all aspects of groups in the assigned administrative unit only.
Helpdesk Administrator Can reset passwords for non-administrators in the assigned administrative unit only.
License Administrator Can assign, remove, and update license assignments within the administrative unit only.
Password Administrator Can reset passwords for non-administrators within the assigned administrative unit only.
Printer Administrator Can manage printers and printer connectors. For more information, see Delegate administration of printers in Universal Print.
Privileged Authentication Administrator Can access to view, set and reset authentication method information for any user (admin or non-admin).
SharePoint Administrator Can manage Microsoft 365 groups in the assigned administrative unit only. For SharePoint sites associated with Microsoft 365 groups in an administrative unit, can also update site properties (site name, URL, and external sharing policy) using the Microsoft 365 admin center. Cannot use the SharePoint admin center or SharePoint APIs to manage sites.
Teams Administrator Can manage Microsoft 365 groups in the assigned administrative unit only. Can manage team members in the Microsoft 365 admin center for teams associated with groups in the assigned administrative unit only. Cannot use the Teams admin center.
Teams Devices Administrator Can perform management related tasks on Teams certified devices.
User Administrator Can manage all aspects of users and groups, including resetting passwords for limited admins within the assigned administrative unit only. Cannot currently manage users' profile photographs.
<Custom role> Can perform actions that apply to users, groups, or devices, according to the definition of the custom role.

Certain role permissions apply only to non-administrator users when assigned with the scope of an administrative unit. In other words, administrative unit scoped Helpdesk Administrators can reset passwords for users in the administrative unit only if those users don't have administrator roles. The following list of permissions are restricted when the target of an action is another administrator:

  • Read and modify user authentication methods, or reset user passwords
  • Modify sensitive user properties such as telephone numbers, alternate email addresses, or Open Authorization (OAuth) secret keys
  • Delete or restore user accounts

Security principals that can be assigned with administrative unit scope

The following security principals can be assigned to a role with an administrative unit scope:

  • Users
  • Microsoft Entra role-assignable groups
  • Service principals

Service principals and guest users

Service principals and guest users won't be able to use a role assignment scoped to an administrative unit unless they're also assigned corresponding permissions to read the objects. This is because service principals and guest users don't receive directory read permissions by default, which are required to perform administrative actions. To enable a service principal or guest user to use a role assignment scoped to an administrative unit, you must assign the Directory Readers role (or another role that includes read permissions) at a tenant scope.

It isn't currently possible to assign directory read permissions scoped to an administrative unit. For more information about default permissions for users, see default user permissions.

Assign a role with an administrative unit scope

You can assign a Microsoft Entra role with an administrative unit scope by using the Microsoft Entra admin center, PowerShell, or Microsoft Graph.

Microsoft Entra admin center

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity > Roles & admins > Admin units.

  3. Select the administrative unit that you want to assign a user role scope to.

  4. On the left pane, select Roles and administrators to list all the available roles.

    Screenshot of the "Role and administrators" pane for selecting an administrative unit whose role scope you want to assign.

  5. Select the role to be assigned, and then select Add assignments.

  6. On the Add assignments pane, select one or more users to be assigned to the role.

    Select the role to scope and then select Add assignments

Note

To assign a role on an administrative unit by using Microsoft Entra Privileged Identity Management (PIM), see Assign Microsoft Entra roles in PIM.

PowerShell

Use the New-MgRoleManagementDirectoryRoleAssignment command and the DirectoryScopeId parameter to assign a role with administrative unit scope.

$user = Get-MgUser -Filter "userPrincipalName eq 'Example_UPN'"
$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Example_role_name'"
$adminUnit = Get-MgDirectoryAdministrativeUnit -Filter "displayName eq 'Example_admin_unit_name'"
$directoryScope = '/administrativeUnits/' + $adminUnit.Id
$roleAssignment = New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId $directoryScope `
   -PrincipalId $user.Id -RoleDefinitionId $roleDefinition.Id

Microsoft Graph API

Use the Add a scopedRoleMember API to assign a role with administrative unit scope.

Request

POST /directory/administrativeUnits/{admin-unit-id}/scopedRoleMembers

Body

{
  "roleId": "roleId-value",
  "roleMemberInfo": {
    "id": "id-value"
  }
}

List role assignments with administrative unit scope

You can view a list of Microsoft Entra role assignments with administrative unit scope by using the Microsoft Entra admin center, PowerShell, or Microsoft Graph.

Microsoft Entra admin center

You can view all the role assignments created with an administrative unit scope in the Admin units section of the Microsoft Entra admin center.

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity > Roles & admins > Admin units.

  3. Select the administrative unit for the list of role assignments you want to view.

  4. Select Roles and administrators, and then open a role to view the assignments in the administrative unit.

PowerShell

Use the Get-MgDirectoryAdministrativeUnitScopedRoleMember command to list role assignments with administrative unit scope.

$adminUnit = Get-MgDirectoryAdministrativeUnit -Filter "displayname eq 'Example_admin_unit_name'"
Get-MgDirectoryAdministrativeUnitScopedRoleMember -AdministrativeUnitId $adminUnit.Id | FL *

Microsoft Graph API

Use the List scopedRoleMembers API to list role assignments with administrative unit scope.

Request

GET /directory/administrativeUnits/{admin-unit-id}/scopedRoleMembers

Body

{}

Next steps