Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Restricted management administrative units are currently in PREVIEW. See the Product Terms for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Administrative units let you subdivide your organization into any unit that you want, and then assign specific administrators that can manage only the members of that unit. For example, you could use administrative units to delegate permissions to administrators of each school at a large university, so they could control access, manage users, and set policies only in the School of Engineering.
This article describes how to create or delete administrative units to restrict the scope of role permissions in Microsoft Entra ID.
- Microsoft Entra ID P1 or P2 license for each administrative unit administrator
- Microsoft Entra ID Free licenses for administrative unit members
- Privileged Role Administrator role
- Microsoft Graph PowerShell module when using PowerShell
For more information, see Prerequisites to use PowerShell.
You can create a new administrative unit by using either the Microsoft Entra admin center, Microsoft Entra PowerShell, or Microsoft Graph.
Use the Connect-MgGraph command to sign in to your tenant and consent to the required permissions.
Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "AdministrativeUnit.ReadWrite.All"
Use the New-MgDirectoryAdministrativeUnit command to create a new administrative unit.
$params = @{
DisplayName = "Seattle District Technical Schools"
Description = "Seattle district technical schools administration"
Visibility = "HiddenMembership"
}
$adminUnitObj = New-MgDirectoryAdministrativeUnit -BodyParameter $params
Use the New-MgBetaDirectoryAdministrativeUnit command to create a new restricted management administrative unit. Set the IsMemberManagementRestricted property to $true.
$params = @{
DisplayName = "Contoso Executive Division"
Description = "Contoso Executive Division administration"
Visibility = "HiddenMembership"
IsMemberManagementRestricted = $true
}
$restrictedAU = New-MgBetaDirectoryAdministrativeUnit -BodyParameter $params
In Microsoft Entra ID, you can delete an administrative unit that you no longer need as a unit of scope for administrative roles. Before you delete the administrative unit, you should remove any role assignments with that administrative unit scope.
