Edit

List users, groups, or devices in an administrative unit

  • Article
  • 2 minutes to read

In Azure Active Directory (Azure AD), you can list the users, groups, or devices in administrative units.

Prerequisites

  • Azure AD Premium P1 or P2 license for each administrative unit administrator
  • Azure AD Free licenses for administrative unit members
  • AzureAD module when using PowerShell
  • AzureADPreview module when using PowerShell for devices
  • Admin consent when using Graph explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Azure portal

You can list the users, groups, or devices in administrative units using the Azure portal.

List the administrative units for a single user, group, or device

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory.

  3. Select one of the following:

    • Users
    • Groups
    • Devices > All devices

  4. Select the user, group, or device you want to list their administrative units.

  5. Select Administrative units to list all the administrative units where the user, group, or device is a member.

    Screenshot of the Administrative units page, displaying a list administrative units that a group is assigned to.

List the users, groups, or devices for a single administrative unit

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory.

  3. Select Administrative units and then select the administrative unit that you want to list the users, groups, or devices for.

  4. Select one of the following:

    • Users
    • Groups
    • Devices

    Screenshot of the Groups page displaying a list of groups in an administrative unit.

List the devices for an administrative unit by using the All devices page

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory.

  3. Select Devices > All devices.

  4. Select the filter for administrative unit.

  5. Select the administrative unit whose devices you want to list.

    Screenshot of All devices page with an administrative unit filter.

PowerShell

Use the Get-AzureADMSAdministrativeUnit and Get-AzureADMSAdministrativeUnitMember commands to list users or groups for an administrative unit.

Use the Get-AzureADMSAdministrativeUnit (Preview) and Get-AzureADMSAdministrativeUnitMember (Preview) commands to list devices for an administrative unit.

Note

By default, Get-AzureADMSAdministrativeUnitMember returns only top members of an administrative unit. To retrieve all members, add the -All $true parameter.

List the administrative units for a user

$userObj = Get-AzureADUser -Filter "UserPrincipalName eq 'bill@example.com'"
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $userObj.ObjectId} }

List the administrative units for a group

$groupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $groupObj.ObjectId} }

List the administrative units for a device

Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }

List the users, groups, and devices for an administrative unit

$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
Get-AzureADMSAdministrativeUnitMember -Id $adminUnitObj.Id

List the groups for an administrative unit

$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
foreach ($member in (Get-AzureADMSAdministrativeUnitMember -Id $adminUnitObj.Id)) 
{
    if($member.OdataType -eq "#microsoft.graph.group")
    {
        Get-AzureADGroup -ObjectId $member.Id
    }
}

List the devices for an administrative unit

$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
foreach ($member in (Get-AzureADMSAdministrativeUnitMember -Id $adminUnitObj.Id)) 
{
    if($member.ObjectType -eq "Device")
    {
        Get-AzureADDevice -ObjectId $member.ObjectId
    }
}

Microsoft Graph API

Use the List members API to list users or groups for an administrative unit.

Use the List members (Beta) API to list devices for an administrative unit.

List the administrative units for a user

GET https://graph.microsoft.com/v1.0/users/{user-id}/memberOf/$/Microsoft.Graph.AdministrativeUnit

List the administrative units for a group

GET https://graph.microsoft.com/v1.0/groups/{group-id}/memberOf/$/Microsoft.Graph.AdministrativeUnit

List the administrative units for a device

GET https://graph.microsoft.com/beta/devices/{device-id}/memberOf/$/Microsoft.Graph.AdministrativeUnit

List the groups for an administrative unit

GET https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}/members/$/microsoft.graph.group

List the devices for an administrative unit

GET https://graph.microsoft.com/beta/administrativeUnits/{admin-unit-id}/members/$/microsoft.graph.device

Next steps