Assign Microsoft Entra roles with administrative unit scope
In Microsoft Entra ID, for more granular administrative control, you can assign a Microsoft Entra role with a scope that's limited to one or more administrative units. When a Microsoft Entra role is assigned at the scope of an administrative unit, role permissions apply only when managing members of the administrative unit itself, and don't apply to tenant-wide settings or configurations.
For example, an administrator who is assigned the Groups Administrator role at the scope of an administrative unit can manage groups that are members of the administrative unit, but they can't manage other groups in the tenant. They also can't manage tenant-level settings related to groups, such as expiration or group naming policies.
This article describes how to assign Microsoft Entra roles with administrative unit scope.
Prerequisites
- Microsoft Entra ID P1 or P2 license for each administrative unit administrator
- Microsoft Entra ID Free licenses for administrative unit members
- Privileged Role Administrator
- Microsoft Graph PowerShell module when using PowerShell
For more information, see Prerequisites to use PowerShell.
Roles that can be assigned with administrative unit scope
The following Microsoft Entra roles can be assigned with administrative unit scope. Additionally, any custom role can be assigned with administrative unit scope as long as the custom role's permissions include at least one permission relevant to users, groups, or devices.
Role | Description |
---|---|
Authentication Administrator | Has access to view, set, and reset authentication method information for any non-admin user in the assigned administrative unit only. |
Cloud Device Administrator | Limited access to manage devices in Microsoft Entra ID. |
Groups Administrator | Can manage all aspects of groups in the assigned administrative unit only. |
Helpdesk Administrator | Can reset passwords for non-administrators in the assigned administrative unit only. |
License Administrator | Can assign, remove, and update license assignments within the administrative unit only. |
Password Administrator | Can reset passwords for non-administrators within the assigned administrative unit only. |
Printer Administrator | Can manage printers and printer connectors. For more information, see Delegate administration of printers in Universal Print. |
Privileged Authentication Administrator | Can access to view, set and reset authentication method information for any user (admin or non-admin). |
SharePoint Administrator | Can manage Microsoft 365 groups in the assigned administrative unit only. For SharePoint sites associated with Microsoft 365 groups in an administrative unit, can also update site properties (site name, URL, and external sharing policy) using the Microsoft 365 admin center. Cannot use the SharePoint admin center or SharePoint APIs to manage sites. |
Teams Administrator | Can manage Microsoft 365 groups in the assigned administrative unit only. Can manage team members in the Microsoft 365 admin center for teams associated with groups in the assigned administrative unit only. Cannot use the Teams admin center. |
Teams Devices Administrator | Can perform management related tasks on Teams certified devices. |
User Administrator | Can manage all aspects of users and groups, including resetting passwords for limited admins within the assigned administrative unit only. Cannot currently manage users' profile photographs. |
<Custom role> | Can perform actions that apply to users, groups, or devices, according to the definition of the custom role. |
Certain role permissions apply only to non-administrator users when assigned with the scope of an administrative unit. In other words, administrative unit scoped Helpdesk Administrators can reset passwords for users in the administrative unit only if those users don't have administrator roles. The following list of permissions are restricted when the target of an action is another administrator:
- Read and modify user authentication methods, or reset user passwords
- Modify sensitive user properties such as telephone numbers, alternate email addresses, or Open Authorization (OAuth) secret keys
- Delete or restore user accounts
Security principals that can be assigned with administrative unit scope
The following security principals can be assigned to a role with an administrative unit scope:
- Users
- Microsoft Entra role-assignable groups
- Service principals
Service principals and guest users
Service principals and guest users won't be able to use a role assignment scoped to an administrative unit unless they're also assigned corresponding permissions to read the objects. This is because service principals and guest users don't receive directory read permissions by default, which are required to perform administrative actions. To enable a service principal or guest user to use a role assignment scoped to an administrative unit, you must assign the Directory Readers role (or another role that includes read permissions) at a tenant scope.
It isn't currently possible to assign directory read permissions scoped to an administrative unit. For more information about default permissions for users, see default user permissions.
Assign a role with an administrative unit scope
You can assign a Microsoft Entra role with an administrative unit scope by using the Microsoft Entra admin center, PowerShell, or Microsoft Graph.
Microsoft Entra admin center
Tip
Steps in this article might vary slightly based on the portal you start from.
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity > Roles & admins > Admin units.
Select the administrative unit that you want to assign a user role scope to.
On the left pane, select Roles and administrators to list all the available roles.
Select the role to be assigned, and then select Add assignments.
On the Add assignments pane, select one or more users to be assigned to the role.
Note
To assign a role on an administrative unit by using Microsoft Entra Privileged Identity Management (PIM), see Assign Microsoft Entra roles in PIM.
PowerShell
Use the New-MgRoleManagementDirectoryRoleAssignment command and the DirectoryScopeId
parameter to assign a role with administrative unit scope.
$user = Get-MgUser -Filter "userPrincipalName eq 'Example_UPN'"
$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Example_role_name'"
$adminUnit = Get-MgDirectoryAdministrativeUnit -Filter "displayName eq 'Example_admin_unit_name'"
$directoryScope = '/administrativeUnits/' + $adminUnit.Id
$roleAssignment = New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId $directoryScope `
-PrincipalId $user.Id -RoleDefinitionId $roleDefinition.Id
Microsoft Graph API
Use the Add a scopedRoleMember API to assign a role with administrative unit scope.
Request
POST /directory/administrativeUnits/{admin-unit-id}/scopedRoleMembers
Body
{
"roleId": "roleId-value",
"roleMemberInfo": {
"id": "id-value"
}
}
List role assignments with administrative unit scope
You can view a list of Microsoft Entra role assignments with administrative unit scope by using the Microsoft Entra admin center, PowerShell, or Microsoft Graph.
Microsoft Entra admin center
You can view all the role assignments created with an administrative unit scope in the Admin units section of the Microsoft Entra admin center.
Sign in to the Microsoft Entra admin center.
Browse to Identity > Roles & admins > Admin units.
Select the administrative unit for the list of role assignments you want to view.
Select Roles and administrators, and then open a role to view the assignments in the administrative unit.
PowerShell
Use the Get-MgDirectoryAdministrativeUnitScopedRoleMember command to list role assignments with administrative unit scope.
$adminUnit = Get-MgDirectoryAdministrativeUnit -Filter "displayname eq 'Example_admin_unit_name'"
Get-MgDirectoryAdministrativeUnitScopedRoleMember -AdministrativeUnitId $adminUnit.Id | FL *
Microsoft Graph API
Use the List scopedRoleMembers API to list role assignments with administrative unit scope.
Request
GET /directory/administrativeUnits/{admin-unit-id}/scopedRoleMembers
Body
{}