Create or delete administrative units

Article
2025-01-24

Important

Restricted management administrative units are currently in PREVIEW. See the Product Terms for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Administrative units let you subdivide your organization into any unit that you want, and then assign specific administrators that can manage only the members of that unit. For example, you could use administrative units to delegate permissions to administrators of each school at a large university, so they could control access, manage users, and set policies only in the School of Engineering.

This article describes how to create or delete administrative units to restrict the scope of role permissions in Microsoft Entra ID.

Prerequisites

Microsoft Entra ID P1 or P2 license for each administrative unit administrator
Microsoft Entra ID Free licenses for administrative unit members
Privileged Role Administrator role
Microsoft Graph PowerShell module when using PowerShell

For more information, see Prerequisites to use PowerShell.

Create an administrative unit

You can create a new administrative unit by using either the Microsoft Entra admin center, Microsoft Entra PowerShell, or Microsoft Graph.

Tip

Steps in this article might vary slightly based on the portal you start from.

Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity > Roles & admins > Admin units.
Select Add.
In the Name box, enter the name of the administrative unit. Optionally, add a description of the administrative unit.
If you don't want tenant-level administrators to be able to access this administrative unit, set the Restricted management administrative unit toggle to Yes. For more information, see Restricted management administrative units.
Optionally, on the Assign roles tab, select a role and then select the users to assign the role to with this administrative unit scope.
On the Review + create tab, review the administrative unit and any role assignments.
Select the Create button.

Use the Connect-MgGraph command to sign in to your tenant and consent to the required permissions.

Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "AdministrativeUnit.ReadWrite.All"

Use the New-MgDirectoryAdministrativeUnit command to create a new administrative unit.

$params = @{
    DisplayName = "Seattle District Technical Schools"
    Description = "Seattle district technical schools administration"
    Visibility = "HiddenMembership"
}
$adminUnitObj = New-MgDirectoryAdministrativeUnit -BodyParameter $params

Use the New-MgBetaDirectoryAdministrativeUnit command to create a new restricted management administrative unit. Set the IsMemberManagementRestricted property to $true.

$params = @{
    DisplayName = "Contoso Executive Division"
    Description = "Contoso Executive Division administration"
    Visibility = "HiddenMembership"
    IsMemberManagementRestricted = $true
}
$restrictedAU = New-MgBetaDirectoryAdministrativeUnit -BodyParameter $params

Delete an administrative unit

In Microsoft Entra ID, you can delete an administrative unit that you no longer need as a unit of scope for administrative roles. Before you delete the administrative unit, you should remove any role assignments with that administrative unit scope.

Use the Remove-MgDirectoryAdministrativeUnit command to delete an administrative unit.

$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'Seattle District Technical Schools'"
Remove-MgDirectoryAdministrativeUnit -AdministrativeUnitId $adminUnitObj.Id

Create or delete administrative units

Prerequisites

Create an administrative unit

Additional resources