Impossible to add user in administrative unit with user which have "User administor" role in AU scope

Julien Rateau 31 Reputation points

I meet an issue with administrative unit. In fact, I created a user named "test" in my Azure Active Directory with my Global Administrator account.

I created an administrative unit, put this user "test" into it, affect a P2 license to this user and "User administrator" role for the AU scope.

If am not mistaken, the user test should have the permissions to create and remove users in AU scope only but it does not.

The "Add member" is still greyed.

Have you got any idea please?

Thanks in advance for your help.
Kind regards,

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,409 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee

    Hi @Julien Rateau ,

    I understand that you are trying to add a user to an Administrative Unit using a User Administrator role, but the "+ Add Member" button is greyed out for you and you are unable to do it.

    The documentation for creating and adding users to administrative units does list having a Privileged Administrator or Global Administrator role as a prerequisite for adding users and groups to an Administrative Unit. Reference: Add users or groups to an administrative unit

    I checked the permissions in the Azure portal and the User Administrator role appears to only have "read" permissions on the administrative units.


    The FAQ says that "User administrators for the administrative unit can manage the name and membership of the group itself." Based on the role definitions in the portal and the prerequisite list for adding users to an AU, the User administrator role appears to have the ability to manage users and group members within an AU, but cannot add or delete members from an AU.

    I reached out to the product team to ask for more clarity in the documentation around these definitions though as I agree that the language could be clearer, and I also noticed that the built-in role permissions documentation doesn't even have "Read" permissions listed for User administrator, even though they are there in the portal. The permissions are entirely missing and I have brought this to the attention of the product group.

    For now it does seem that you need to be either a Global Admin or a Privileged Role Administrator to add new members though.

  2. Julien Rateau 31 Reputation points

    Hi @Marilee Turscak-MSFT ,
    Thank you for your answer and for your reporting actions. I am still confused because in the page describing role permissions for "User administrator" role, the permission belongs to this role permissions scope. As you can see in the following screenshot.173957-capture.png

    What my user would be able to do thanks to this permission?