Assign Azure AD roles with administrative unit scope

In Azure Active Directory (Azure AD), for more granular administrative control, you can assign an Azure AD role with a scope that's limited to one or more administrative units. When an Azure AD role is assigned at the scope of an administrative unit, role permissions apply only when managing members of the administrative unit itself, and do not apply to tenant-wide settings or configurations.

For example, an administrator who is assigned the Groups Administrator role at the scope of an administrative unit can manage groups that are members of the administrative unit, but they cannot manage other groups in the tenant. They also cannot manage tenant-level settings related to groups, such as expiration or group naming policies.

This article describes how to assign Azure AD roles with administrative unit scope.

Prerequisites

  • Azure AD Premium P1 or P2 license for each administrative unit administrator
  • Azure AD Free licenses for administrative unit members
  • Privileged Role Administrator or Global Administrator
  • AzureAD module when using PowerShell
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Roles that can be assigned with administrative unit scope

The following Azure AD roles can be assigned with administrative unit scope. Additionally, any custom role can be assigned with administrative unit scope as long as the custom role's permissions include at least one permission relevant to users, groups, or devices.

Role Description
Authentication Administrator Has access to view, set, and reset authentication method information for any non-admin user in the assigned administrative unit only.
Cloud Device Administrator Limited access to manage devices in Azure AD.
Groups Administrator Can manage all aspects of groups in the assigned administrative unit only.
Helpdesk Administrator Can reset passwords for non-administrators in the assigned administrative unit only.
License Administrator Can assign, remove, and update license assignments within the administrative unit only.
Password Administrator Can reset passwords for non-administrators within the assigned administrative unit only.
Printer Administrator Can manage printers and printer connectors. For more information, see Delegate administration of printers in Universal Print.
SharePoint Administrator Can manage Microsoft 365 groups in the assigned administrative unit only. For SharePoint sites associated with Microsoft 365 groups in an administrative unit, can also update site properties (site name, URL, and external sharing policy) using the Microsoft 365 admin center. Cannot use the SharePoint admin center or SharePoint APIs to manage sites.
Teams Administrator Can manage Microsoft 365 groups in the assigned administrative unit only. Can manage team members in the Microsoft 365 admin center for teams associated with groups in the assigned administrative unit only. Cannot use the Teams admin center.
Teams Devices Administrator Can perform management related tasks on Teams certified devices.
User Administrator Can manage all aspects of users and groups, including resetting passwords for limited admins within the assigned administrative unit only.
<Custom role> Can perform actions that apply to users, groups, or devices, according to the definition of the custom role.

Certain role permissions apply only to non-administrator users when assigned with the scope of an administrative unit. In other words, administrative unit scoped Helpdesk Administrators can reset passwords for users in the administrative unit only if those users do not have administrator roles. The following list of permissions are restricted when the target of an action is another administrator:

  • Read and modify user authentication methods, or reset user passwords
  • Modify sensitive user properties such as telephone numbers, alternate email addresses, or OAuth secret keys
  • Delete or restore user accounts

Security principals that can be assigned with administrative unit scope

The following security principals can be assigned to a role with an administrative unit scope:

  • Users
  • Azure AD role-assignable groups
  • Service principals

Service principals and guest users

Service principals and guest users will not be able to use a role assignment scoped to an administrative unit unless they are also assigned corresponding permissions to read the objects. This is because service principals and guest users do not receive directory read permissions by default, which are required to perform administrative actions. To enable a service principal or guest user to use a role assignment scoped to an administrative unit, you must assign the Directory Readers role (or another role that includes read permissions) at a tenant scope.

It is not currently possible to assign directory read permissions scoped to an administrative unit. For more information about default permissions for users, see default user permissions.

Assign a role with an administrative unit scope

You can assign an Azure AD role with an administrative unit scope by using the Azure portal, PowerShell, or Microsoft Graph.

Azure portal

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory > Administrative units and then select the administrative unit that you want to assign a user role scope to.

  3. On the left pane, select Roles and administrators to list all the available roles.

    Screenshot of the "Role and administrators" pane for selecting an administrative unit whose role scope you want to assign.

  4. Select the role to be assigned, and then select Add assignments.

  5. On the Add assignments pane, select one or more users to be assigned to the role.

    Select the role to scope and then select Add assignments

Note

To assign a role on an administrative unit by using Azure AD Privileged Identity Management (PIM), see Assign Azure AD roles in PIM.

PowerShell

Use the New-AzureADMSRoleAssignment command and the DirectoryScopeId parameter to assign a role with administrative unit scope.

$user = Get-AzureADUser -Filter "userPrincipalName eq 'Example_UPN'"
$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Example_role_name'"
$adminUnit = Get-AzureADMSAdministrativeUnit -Filter "displayName eq 'Example_admin_unit_name'"
$directoryScope = '/administrativeUnits/' + $adminUnit.Id
$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId $directoryScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId

Microsoft Graph API

Use the Add a scopedRoleMember API to assign a role with administrative unit scope.

Request

POST /directory/administrativeUnits/{admin-unit-id}/scopedRoleMembers

Body

{
  "roleId": "roleId-value",
  "roleMemberInfo": {
    "id": "id-value"
  }
}

List role assignments with administrative unit scope

You can view a list of Azure AD role assignments with administrative unit scope by using the Azure portal, PowerShell, or Microsoft Graph.

Azure portal

You can view all the role assignments created with an administrative unit scope in the Administrative units section of Azure AD.

  1. Sign in to the Azure portal or Azure AD admin center.

  2. Select Azure Active Directory > Administrative units and then select the administrative unit for the list of role assignments you want to view.

  3. Select Roles and administrators, and then open a role to view the assignments in the administrative unit.

PowerShell

Use the Get-AzureADMSScopedRoleMembership command to list role assignments with administrative unit scope.

$adminUnit = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Example_admin_unit_name'"
Get-AzureADMSScopedRoleMembership -Id $adminUnit.Id | fl *

Microsoft Graph API

Use the List scopedRoleMembers API to list role assignments with administrative unit scope.

Request

GET /directory/administrativeUnits/{admin-unit-id}/scopedRoleMembers

Body

{}

Next steps