Adding groups to Administrative Units

Kate Ivankova 20 Reputation points
2024-07-26T19:31:39.3733333+00:00

I navigated to Entra https://entra.microsoft.com/ under Identity > Roles and admins > Admin Units and created an Administrative Unit with Restricted Management enabled. This was done while I was elevated to Global Admin.

After creating the Administrative Unit, I went to Groups and clicked +Add. However, in the pop-up window, all groups were greyed out. Not all Cloud Security groups were visible, and I couldn’t add any groups.

When I go to EntraID > Groups and click on any Security Cloud group, I can add them to the Administrative Unit. However, I have over 500 groups to add, and doing this one by one would be very time-consuming.

Is this a glitch, or am I missing something?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
882 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,205 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 113.4K Reputation points MVP
    2024-07-27T15:27:31.9033333+00:00

    What you are describing seems like the expected behavior. Only certain group types are supported as members of restricted management AUs (see this table), thus ineligible entries are grayed out in the UI. In addition, said UI component only lists a limited number of entries, you cannot scroll over the entire list of groups within your organization. You can however search for individual groups by using the box on top.

    In any case, if you are planning to add 500 groups as members of said AU, the UI is not the best tool for the job. The Graph SDK for PowerShell will help you automate the task, you can find examples on how to use it in this article: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-members-add#powershell

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,141 Reputation points Microsoft Employee
    2024-07-26T23:59:28.64+00:00

    Hi Kate Ivankova,

    Please make sure that you have permissions to add the group. To add security groups to the Administrative Unit, role needs to include this permission microsoft.directory/groups/create (added either via custom role or Group Admin role).

    Note also that groups cannot be added to administrative units if the membership type is Dynamic User or Dynamic Device.

    User's image

    https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-members-dynamic

    If you already have the correct permissions and membership types, please share some screenshots of what you are seeing when you try to add the groups.

    If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.

    0 comments No comments

  2. Kate Ivankova 20 Reputation points
    2024-07-29T13:57:12.2566667+00:00

    Thank you for your answers @Marilee Turscak-MSFT and @Vasil Michev The Graph SDK for PowerShell is the way to go, definitely.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.