Manage users or devices for an administrative unit with rules for dynamic membership groups
Article
You can add or remove users or devices for administrative units manually. With dynamic membership groups, you can add or remove users or devices for administrative units dynamically using rules. This article describes how to create administrative units with rules for dynamic membership groups using the Microsoft Entra admin center, PowerShell, or Microsoft Graph API.
Note
Dynamic membership rules for administrative units can be created using the same attributes available for dynamic membership groups. For more information about the specific attributes available and examples on how to use them, see Manage rules for dynamic membership groups in Microsoft Entra ID.
Although administrative units with members assigned manually support multiple object types, such as user, group, and devices, it is currently not possible to create an administrative unit with rules for dynamic membership groups that includes more than one object type. For example, you can create administrative units with rules for dynamic membership groups for users or devices, but not both. Administrative units with rules for dynamic membership groups for groups are currently not supported.
Prerequisites
Microsoft Entra ID P1 or P2 license for each administrative unit administrator
Microsoft Entra ID P1 or P2 license for each administrative unit member
Privileged Role Administrator
Microsoft Graph PowerShell SDK installed when using PowerShell
Admin consent when using Graph Explorer for Microsoft Graph API
Global Azure cloud (not available in specialized clouds, such as Azure Government or Microsoft Azure operated by 21Vianet)
Note
Dynamic membership rules for administrative units requires a Microsoft Entra ID P1 license for each unique user that is a member of one or more dynamic administrative units. You don't have to assign licenses to users for them to be members of dynamic administrative units, but you must have the minimum number of licenses in the Microsoft Entra organization to cover all such users. For example, if you had a total of 1,000 unique users in all dynamic administrative units in your organization, you would need at least 1,000 licenses for Microsoft Entra ID P1 to meet the license requirement. No license is required for devices that are members of an administrative unit for a dynamic membership group for devices.
Use the New-MgDirectoryAdministrativeUnit command to create a new administrative unit with a rule for dynamic membership groups using the following parameters:
MembershipType: Dynamic or Assigned
MembershipRule: Dynamic membership rule you created in a previous step
MembershipRuleProcessingState: On or Paused
# Create an administrative unit for users in the United States
$params = @{
displayName = "Example Admin Unit"
description = "Example Dynamic Membership Admin Unit"
membershipType = "Dynamic"
membershipRule = "(user.country -eq 'United States')"
membershipRuleProcessingState = "On"
}
New-MgDirectoryAdministrativeUnit -BodyParameter $params
When an administrative unit has been configured for dynamic membership groups, the usual commands to add or remove members for the administrative unit are disabled as the dynamic membership groups engine retains the sole ownership of adding or removing members. To make changes to the membership, you can edit the rules for dynamic membership groups.
# Set a new rules for dynamic membership groups for an administrative unit
$adminUnit = Get-MgDirectoryAdministrativeUnit -Filter "displayName eq 'Example Admin Unit'"
$params = @{
membershipRule = "(user.country -eq 'Germany')"
}
Update-MgDirectoryAdministrativeUnit -AdministrativeUnitId $adminUnit.Id -BodyParameter $params
Follow these steps to change an administrative unit with rules for dynamic membership groups to an administrative unit where members are manually assigned.
Browse to Identity > Roles & admins > Admin units.
Select the administrative unit that you want to change to assigned.
Select Properties.
In the Membership type list, select Assigned.
Select Save to save the membership type.
The following message is displayed:
After changing the administrative unit type, the dynamic rule will no longer be processed. Current administrative unit members will remain in the administrative unit and the administrative unit will have assigned membership.
Select Yes to continue.
When the membership type setting is changed from dynamic to assigned, the current members remain intact in the administrative unit. Additionally, the ability to add groups to the administrative unit is enabled.
This module enables you to handle Microsoft Entra ID tasks, including RBAC, user/group management, PowerShell cmdlets, and AD DS object synchronization. You'll effectively utilize and manage Microsoft Entra ID in your organization after completing this module.