Add users, groups, or devices to an administrative unit
In Microsoft Entra ID, you can add users, groups, or devices to an administrative unit to limit the scope of role permissions. Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group. For additional details on what scoped administrators can do, see Administrative units in Microsoft Entra ID.
This article describes how to add users, groups, or devices to administrative units manually.
Prerequisites
- Microsoft Entra ID P1 or P2 license for each administrative unit administrator
- Microsoft Entra ID Free licenses for administrative unit members
- To add existing users, groups, or devices:
- Privileged Role Administrator
- To create new groups:
- Groups Administrator (scoped to the administrative unit or entire directory)
- Microsoft Graph PowerShell
For more information, see Prerequisites to use PowerShell.
Microsoft Entra admin center
You can add users, groups, or devices to administrative units using the Microsoft Entra admin center. You can also add users in a bulk operation or create a new group in an administrative unit.
Add a single user, group, or device to administrative units
Tip
Steps in this article might vary slightly based on the portal you start from.
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity.
Browse to one of the following:
- Users > All users
- Groups > All groups
- Devices > All devices
Select the user, group, or device you want to add to administrative units.
Select Administrative units.
Select Assign to administrative unit.
In the Select pane, select the administrative units and then select Select.
Add users, groups, or devices to a single administrative unit
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity > Roles & admins > Admin units.
Select the administrative unit you want to add users, groups, or devices to.
Select one of the following:
- Users
- Groups
- Devices
Select Add member, Add, or Add device.
In the Select pane, select the users, groups, or devices you want to add to the administrative unit and then select Select.
Add users to an administrative unit in a bulk operation
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity > Roles & admins > Admin units.
Select the administrative unit you want to add users to.
Select Users > Bulk operations > Bulk add members.
In the Bulk add members pane, download the comma-separated values (CSV) template.
Edit the downloaded CSV template with the list of users you want to add.
Add one user principal name (UPN) in each row. Don't remove the first two rows of the template.
Save your changes and upload the CSV file.
Select Submit.
Create a new group in an administrative unit
Sign in to the Microsoft Entra admin center as at least a Groups Administrator.
Browse to Identity > Roles & admins > Admin units.
Select the administrative unit you want to create a new group in.
Select Groups.
Select New group and complete the steps to create a new group.
PowerShell
Use the New-MgDirectoryAdministrativeUnitMemberByRef command to add user, groups, or devices to an administrative unit or create a new group in an administrative unit.
Add users to an administrative unit
$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq '{admin-unit-id}'"
$userObj = Get-MgUser -Filter "UserPrincipalName eq '{user-principal-name}'"
$odataId = "https://microsoftgraph.chinacloudapi.cn/v1.0/users/" + $userObj.Id
New-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -OdataId $odataId
Add groups to an administrative unit
$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq '{admin-unit-id}'"
$groupObj = Get-MgGroup -Filter "DisplayName eq 'group-name'"
$odataId = "https://microsoftgraph.chinacloudapi.cn/v1.0/groups/" + $groupObj.Id
New-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -OdataId $odataId
Add devices to an administrative unit
$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq '{admin-unit-id}'"
$odataId = "https://microsoftgraph.chinacloudapi.cn/v1.0/devices/{device-id}"
New-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -OdataId $odataId
Create a new group in an administrative unit
$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq '{admin-unit-id}'"
$params = @{
"@odata.type" = "#microsoft.graph.group"
description = "{group-description}"
displayName = "{group-name}"
groupTypes = @(
"Unified"
)
mailEnabled = $false
mailNickname = "{group-name}"
securityEnabled = $true
}
New-MgDirectoryAdministrativeUnitMember -AdministrativeUnitId $adminUnitObj.Id -BodyParameter $params
Microsoft Graph API
Use the Add a member API to add users, groups, or devices to an administrative unit or create a new group in an administrative unit.
Add users to an administrative unit
Request
POST https://microsoftgraph.chinacloudapi.cn/v1.0/directory/administrativeUnits/{admin-unit-id}/members/$ref
Body
{
"@odata.id":"https://microsoftgraph.chinacloudapi.cn/v1.0/users/{user-id}"
}
Example
{
"@odata.id":"https://microsoftgraph.chinacloudapi.cn/v1.0/users/john@example.com"
}
Add groups to an administrative unit
Request
POST https://microsoftgraph.chinacloudapi.cn/v1.0/directory/administrativeUnits/{admin-unit-id}/members/$ref
Body
{
"@odata.id":"https://microsoftgraph.chinacloudapi.cn/v1.0/groups/{group-id}"
}
Example
{
"@odata.id":"https://microsoftgraph.chinacloudapi.cn/v1.0/groups/871d21ab-6b4e-4d56-b257-ba27827628f3"
}
Add devices to an administrative unit
Request
POST https://microsoftgraph.chinacloudapi.cn/v1.0/directory/administrativeUnits/{admin-unit-id}/members/$ref
Body
{
"@odata.id":"https://microsoftgraph.chinacloudapi.cn/v1.0/devices/{device-id}"
}
Create a new group in an administrative unit
Request
POST https://microsoftgraph.chinacloudapi.cn/v1.0/directory/administrativeUnits/{admin-unit-id}/members/
Body
{
"@odata.type": "#Microsoft.Graph.Group",
"description": "{Example group description}",
"displayName": "{Example group name}",
"groupTypes": [
"Unified"
],
"mailEnabled": true,
"mailNickname": "{examplegroup}",
"securityEnabled": false
}