Remove users, groups, or devices from an administrative unit
When users, groups, or devices in an administrative unit no longer need access, you can remove them.
Prerequisites
- Azure AD Premium P1 or P2 license for each administrative unit administrator
- Azure AD Free licenses for administrative unit members
- Privileged Role Administrator or Global Administrator
- AzureAD module when using PowerShell
- AzureADPreview module when using PowerShell for devices
- Admin consent when using Graph explorer for Microsoft Graph API
For more information, see Prerequisites to use PowerShell or Graph Explorer.
Azure portal
You can remove users, groups, or devices from administrative units individually using the Azure portal. You can also remove users in a bulk operation.
Remove a single user, group, or device from administrative units
Sign in to the Azure portal.
Select Azure Active Directory.
Select one of the following:
- Users
- Groups
- Devices > All devices
Select the user, group, or device you want to remove from an administrative unit.
Select Administrative units.
Add check marks next to the administrative units you want to remove the user, group, or device from.
Select Remove from administrative unit.
Remove users, groups, or devices from a single administrative unit
Sign in to the Azure portal.
Select Azure Active Directory.
Select Administrative units and then select the administrative unit that you want to remove users, groups, or devices from.
Select one of the following:
- Users
- Groups
- Devices
Add check marks next to the users, groups, or devices you want to remove.
Select Remove member, Remove, or Remove device.
Remove users from an administrative unit in a bulk operation
Sign in to the Azure portal.
Select Azure Active Directory.
Select Administrative units and then select the administrative unit that you want to remove users from.
Select Users > Bulk operations > Bulk remove members.
In the Bulk remove members pane, download the comma-separated values (CSV) template.
Edit the downloaded CSV template with the list of users you want to remove.
Add one user principal name (UPN) in each row. Don't remove the first two rows of the template.
Save your changes and upload the CSV file.
Select Submit.
PowerShell
Use the Remove-AzureADMSAdministrativeUnitMember command to remove users or groups from an administrative unit.
Use the Remove-AzureADMSAdministrativeUnitMember (Preview) command to remove devices from an administrative unit.
Remove users from an administrative unit
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
$userObj = Get-AzureADUser -Filter "UserPrincipalName eq 'bill@example.com'"
Remove-AzureADMSAdministrativeUnitMember -Id $adminUnitObj.Id -MemberId $userObj.ObjectId
Remove groups from an administrative unit
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
$groupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"
Remove-AzureADMSAdministrativeUnitMember -Id $adminUnitObj.Id -MemberId $groupObj.ObjectId
Remove devices from an administrative unit
Remove-AzureADMSAdministrativeUnitMember -ObjectId $adminUnitId -MemberId $deviceObjId
Microsoft Graph API
Use the Remove a member API to remove users or groups from an administrative unit.
Use the Remove a member (Beta) API to remove devices from an administrative unit.
Remove users from an administrative unit
DELETE https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}/members/{user-id}/$ref
Remove groups from an administrative unit
DELETE https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}/members/{group-id}/$ref
Remove devices from an administrative unit
DELETE https://graph.microsoft.com/beta/administrativeUnits/{admin-unit-id}/members/{device-id}/$ref
Next steps
Feedback
Submit and view feedback for