Create or delete administrative units
Administrative units let you subdivide your organization into any unit that you want, and then assign specific administrators that can manage only the members of that unit. For example, you could use administrative units to delegate permissions to administrators of each school at a large university, so they could control access, manage users, and set policies only in the School of Engineering.
This article describes how to create or delete administrative units to restrict the scope of role permissions in Azure Active Directory (Azure AD).
Prerequisites
- Azure AD Premium P1 or P2 license for each administrative unit administrator
- Azure AD Free licenses for administrative unit members
- Privileged Role Administrator or Global Administrator
- AzureAD module when using PowerShell
- Admin consent when using Graph explorer for Microsoft Graph API
For more information, see Prerequisites to use PowerShell or Graph Explorer.
Create an administrative unit
You can create a new administrative unit by using either the Azure portal, PowerShell or Microsoft Graph.
Azure portal
Sign in to the Azure portal.
Select Azure Active Directory > Administrative units.
Select Add.
In the Name box, enter the name of the administrative unit. Optionally, add a description of the administrative unit.
Optionally, on the Assign roles tab, select a role and then select the users to assign the role to with this administrative unit scope.
On the Review + create tab, review the administrative unit and any role assignments.
Select the Create button.
PowerShell
Use the New-AzureADMSAdministrativeUnit command to create a new administrative unit.
New-AzureADMSAdministrativeUnit -Description "West Coast region" -DisplayName "West Coast"
Microsoft Graph PowerShell
Use the New-MgDirectoryAdministrativeUnit command to create a new administrative unit.
Import-Module Microsoft.Graph.Identity.DirectoryManagement
$params = @{
DisplayName = "Seattle District Technical Schools"
Description = "Seattle district technical schools administration"
Visibility = "HiddenMembership"
}
New-MgDirectoryAdministrativeUnit -BodyParameter $params
Microsoft Graph API
Use the Create administrativeUnit API to create a new administrative unit.
Request
POST https://graph.microsoft.com/v1.0/directory/administrativeUnits
Body
{
"displayName": "North America Operations",
"description": "North America Operations administration"
}
Delete an administrative unit
In Azure AD, you can delete an administrative unit that you no longer need as a unit of scope for administrative roles. Before you delete the administrative unit, you should remove any role assignments with that administrative unit scope.
Azure portal
Sign in to the Azure portal.
Select Azure Active Directory > Administrative units and then select the administrative unit you want to delete.
Select Roles and administrators, and then open a role to view the role assignments.
Remove all the role assignments with the administrative unit scope.
Select Azure Active Directory > Administrative units.
Add a check mark next to the administrative unit you want to delete.
Select Delete.
To confirm that you want to delete the administrative unit, select Yes.
PowerShell
Use the Remove-AzureADMSAdministrativeUnit command to delete an administrative unit.
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'DeleteMe Admin Unit'"
Remove-AzureADMSAdministrativeUnit -Id $adminUnitObj.Id
Microsoft Graph API
Use the Delete administrativeUnit API to delete an administrative unit.
DELETE https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}
Next steps
Feedback
Submit and view feedback for