For more granular administrative control in Microsoft Entra ID, you can assign users to a Microsoft Entra role with a scope that's limited to one or more administrative units. For sample PowerShell scripts for common tasks, see Work with administrative units.
General
Why am I unable to create an administrative unit?
Only a Global Administrator or Privileged Role Administrator can create an administrative unit in Microsoft Entra ID. Check to ensure that the user who's trying to create the administrative unit is assigned either the Global Administrator or Privileged Role Administrator role.
I added a group to an administrative unit. Why are the group members still not showing up there?
When you add a group to an administrative unit, that does not result in all the group's members being added to it. Users must be directly assigned to the administrative unit.
I just added (or removed) a member of the administrative unit. Why is the member not showing up (or still showing up) on the user interface?
Sometimes, the addition or removal of one or more members of an administrative unit might take a few minutes to be reflected on the Administrative units pane. Alternatively, you can go directly to the associated resource's properties and see whether the action has been completed. For more information about members in administrative units, see List users, groups, or devices in an administrative unit.
I am a delegated Password Administrator on an administrative unit. Why am I unable to reset a specific user's password?
As an administrator of an administrative unit, you can reset passwords only for users who are assigned to your administrative unit. Make sure that the user whose password reset is failing belongs to the administrative unit to which you've been assigned. If the user belongs to the same administrative unit but you still can't reset the user's password, check the roles that are assigned to the user.
To prevent an elevation of privilege, an administrative unit-scoped administrator can't reset the password of a user who's assigned to a role with an organization-wide scope.
Why are administrative units necessary? Couldn't we have used security groups as the way to define a scope?
Security groups have an existing purpose and authorization model. A User Administrator, for example, can manage membership of all security groups in the Microsoft Entra organization. The role might use groups to manage access to applications such as Salesforce. A User Administrator should not be able to manage the delegation model itself, which would be the result if security groups were extended to support "resource grouping" scenarios.
Administrative units, such as organizational units in Windows Server Active Directory, are intended to provide a way to scope administration of a wide range of directory objects. Security groups themselves can be members of resource scopes. Using security groups to define the set of security groups that an administrator can manage could become confusing.
What does it mean to add a group to an administrative unit?
Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group. For more information, see Administrative units in Microsoft Entra ID.
Can a resource (user, group, or device) be a member of more than one administrative unit?
Yes, a resource can be a member of more than one administrative unit. The resource can be managed by all organization-wide and administrative unit-scoped administrators who have permissions over the resource.
Are administrative units available in B2C organizations?
No, administrative units are not available for B2C organizations.
Are nested administrative units supported?
No, nested administrative units are not supported.
Are administrative units supported in PowerShell and the Graph API?
Yes. You'll find support for administrative units in PowerShell cmdlet documentation and sample scripts.
Find support for the administrativeUnit resource type in Microsoft Graph.
Dynamic administrative units (Preview)
I just saved a dynamic membership rule for an administrative unit, but I don't see any users populated yet.
The initial update of an administrative unit can take a few minutes depending on your tenant size and the current Microsoft Entra ID load.
After creating a dynamic membership rule in the Microsoft Entra admin center using the rule builder and attempting to save, I get the error "Failed to update administrative unit properties".
This usually means there is a problem with the supplied property values. Confirm that the property values you have supplied have a proper value type (Boolean, string, or string collection). For more information, see the allowed values for each operator for users or devices.
This error can also result if a person without a Microsoft Entra ID P1 license attempts to save an update to the administrative unit.
How can I add a single member to an administrative unit in addition to the current dynamic membership rule?
To add a single user, add an appropriate expression with the OR query operator to the dynamic membership rule.
I am a Global Administrator, but I can't add or remove members for an administrative unit.
When an administrative unit has been configured for dynamic membership, you must edit the dynamic membership rules to change membership.
How many administrative units with dynamic membership rules can I create in a tenant?
For the preview, the total number of dynamic groups and dynamic administrative units combined cannot exceed 5,000.
Is there a limit to the number of characters in a dynamic membership rule?
Yes. 3,072 characters.
Can I create administrative units with dynamic membership rules in the Microsoft 365 admin center?
No.
Restricted management administrative units (Preview)
I am the owner of a group that is a member of a restricted management administrative unit. How are my permissions affected?
As an owner of a protected group, you won't be able to manage it just based on ownership. Managing protected resources currently require a role to be assigned at the restricted management administrative unit scope of the protected resource.
How are my Microsoft 365 resources affected by using restricted management administrative units?
Currently, securing Microsoft Entra resources in restricted management administrative units is supported. Resources managed outside of Microsoft Entra ID aren't supported.
I'm unable to modify a member of a restricted management administrative unit.
The user, group, or device is a member of restricted management administrative unit. Management rights are limited to administrators scoped to that administrative unit.