APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Use this API to add a member (user, group, or device) to an administrative unit or to create a new group within an administrative unit. All group types can be created within an administrative unit.
Note: Currently, it's only possible to add one member at a time to an administrative unit.`
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
Permissions to add an existing user, group, or device
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
AdministrativeUnit.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
AdministrativeUnit.ReadWrite.All
To add a user, group, or device to an administrative unit, the calling user must be assigned the Privileged Role AdministratorMicrosoft Entra role.
Permissions to create a new group
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Group.ReadWrite.All and AdministrativeUnit.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
Group.Create and AdministrativeUnit.Read.All, Group.ReadWrite.All and AdministrativeUnit.Read.All, Directory.ReadWrite.All
To create a new group in an administrative unit, the calling principal must be assigned at least one of the following Microsoft Entra roles at the scope of the administrative unit:
Groups Administrator
User Administrator
When these roles are assigned to a service principal, additional permissions are required to read the directory, such as assignment to the Directory Readers role, or having Microsoft Graph application permissions, such as Directory.Read.All.
HTTP request
The following request adds an existing user, group, or device to the administrative unit.
POST /administrativeUnits/{id}/members/$ref
The following request creates a new group within the administrative unit.
In the request body, provide the id of a user, group, device, or directoryObject to be added. If the administrative unit is a restricted management administrative unit (isMemberManagementRestricted=true), the group type must be a Microsoft Entra security group. Only non-unified groups that are security enabled, not mail enabled, and not on-premises sync enabled are supported.
Creating a new group
The following table shows the properties of the group resource to specify when you create a group in the administrative unit.
Property
Type
Description
displayName
string
The name to display in the address book for the group. Required.
description
string
A description for the group. Optional.
isAssignableToRole
Boolean
Set to true to enable the group to be assigned to a Microsoft Entra role. Privileged Role Administrator is the least privileged role to set the value of this property. Optional.
mailEnabled
Boolean
Set to true for mail-enabled groups. Required.
mailNickname
string
The mail alias for the group. These characters cannot be used in the mailNickName: @()\[]";:.<>,SPACE. Required.
securityEnabled
Boolean
Set to true for security-enabled groups, including Microsoft 365 groups. Required.
This property represents the members for the group at creation time. Optional.
visibility
String
Specifies the visibility of a Microsoft 365 group. Possible values are: Private, Public, HiddenMembership, or empty (which is interpreted as Public).
Response
If successful, adding an existing object (using $ref) returns 204 No Content response code. It doesn't return anything in the response body.
When creating a new group (without $ref), this method returns a 201 Created response code and a group object in the response body. The response includes only the default properties of the group. You must supply the "@odata.type" : "#microsoft.graph.group" line in the request body to explicitly identify the new member as a group. A request body without the correct @odata.type returns a 400 Bad Request error message.
Examples
Example 1: Add an existing user or group
The following will add an existing user or group to the administrative unit.
POST https://graph.microsoft.com/beta/administrativeUnits/{id}/members/$ref
Content-type: application/json
{
"@odata.id":"https://graph.microsoft.com/beta/groups/{id}"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new ReferenceCreate
{
OdataId = "https://graph.microsoft.com/beta/groups/{id}",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.AdministrativeUnits["{administrativeUnit-id}"].Members.Ref.PostAsync(requestBody);
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
mgc-beta administrative-units members ref post --administrative-unit-id {administrativeUnit-id} --body '{\
"@odata.id":"https://graph.microsoft.com/beta/groups/{id}"\
}\
'
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewReferenceCreate()
odataId := "https://graph.microsoft.com/beta/groups/{id}"
requestBody.SetOdataId(&odataId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.AdministrativeUnits().ByAdministrativeUnitId("administrativeUnit-id").Members().Ref().Post(context.Background(), requestBody, nil)
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.beta.models.ReferenceCreate referenceCreate = new com.microsoft.graph.beta.models.ReferenceCreate();
referenceCreate.setOdataId("https://graph.microsoft.com/beta/groups/{id}");
graphClient.administrativeUnits().byAdministrativeUnitId("{administrativeUnit-id}").members().ref().post(referenceCreate);
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\ReferenceCreate;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ReferenceCreate();
$requestBody->setOdataId('https://graph.microsoft.com/beta/groups/{id}');
$graphServiceClient->administrativeUnits()->byAdministrativeUnitId('administrativeUnit-id')->members()->ref()->post($requestBody)->wait();
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.reference_create import ReferenceCreate
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ReferenceCreate(
odata_id = "https://graph.microsoft.com/beta/groups/{id}",
)
await graph_client.administrative_units.by_administrative_unit_id('administrativeUnit-id').members.ref.post(request_body)
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
In the request body, provide the id of the user, group, or device object you want to add.
Response
The following example shows the response.
HTTP/1.1 204 No Content
Example 2: Create a new group
The following example creates a new group in the administrative unit. You must supply the "@odata.type" : "#microsoft.graph.group" line in the request body to explicitly identify the new member as a group. A request body without the correct @odata.type returns a 400 Bad Request error message.
POST https://graph.microsoft.com/beta/administrativeUnits/{id}/members
Content-type: application/json
{
"@odata.type": "#microsoft.graph.group",
"description": "Self help community for golf",
"displayName": "Golf Assist",
"groupTypes": [
"Unified"
],
"mailEnabled": true,
"mailNickname": "golfassist",
"securityEnabled": false
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new Group
{
OdataType = "#microsoft.graph.group",
Description = "Self help community for golf",
DisplayName = "Golf Assist",
GroupTypes = new List<string>
{
"Unified",
},
MailEnabled = true,
MailNickname = "golfassist",
SecurityEnabled = false,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.AdministrativeUnits["{administrativeUnit-id}"].Members.PostAsync(requestBody);
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
mgc-beta administrative-units members create --administrative-unit-id {administrativeUnit-id} --body '{\
"@odata.type": "#microsoft.graph.group",\
"description": "Self help community for golf",\
"displayName": "Golf Assist",\
"groupTypes": [\
"Unified"\
],\
"mailEnabled": true,\
"mailNickname": "golfassist",\
"securityEnabled": false\
}\
'
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewDirectoryObject()
description := "Self help community for golf"
requestBody.SetDescription(&description)
displayName := "Golf Assist"
requestBody.SetDisplayName(&displayName)
groupTypes := []string {
"Unified",
}
requestBody.SetGroupTypes(groupTypes)
mailEnabled := true
requestBody.SetMailEnabled(&mailEnabled)
mailNickname := "golfassist"
requestBody.SetMailNickname(&mailNickname)
securityEnabled := false
requestBody.SetSecurityEnabled(&securityEnabled)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
members, err := graphClient.AdministrativeUnits().ByAdministrativeUnitId("administrativeUnit-id").Members().Post(context.Background(), requestBody, nil)
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
Group directoryObject = new Group();
directoryObject.setOdataType("#microsoft.graph.group");
directoryObject.setDescription("Self help community for golf");
directoryObject.setDisplayName("Golf Assist");
LinkedList<String> groupTypes = new LinkedList<String>();
groupTypes.add("Unified");
directoryObject.setGroupTypes(groupTypes);
directoryObject.setMailEnabled(true);
directoryObject.setMailNickname("golfassist");
directoryObject.setSecurityEnabled(false);
DirectoryObject result = graphClient.administrativeUnits().byAdministrativeUnitId("{administrativeUnit-id}").members().post(directoryObject);
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Group;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Group();
$requestBody->setOdataType('#microsoft.graph.group');
$requestBody->setDescription('Self help community for golf');
$requestBody->setDisplayName('Golf Assist');
$requestBody->setGroupTypes(['Unified', ]);
$requestBody->setMailEnabled(true);
$requestBody->setMailNickname('golfassist');
$requestBody->setSecurityEnabled(false);
$result = $graphServiceClient->administrativeUnits()->byAdministrativeUnitId('administrativeUnit-id')->members()->post($requestBody)->wait();
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.group import Group
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Group(
odata_type = "#microsoft.graph.group",
description = "Self help community for golf",
display_name = "Golf Assist",
group_types = [
"Unified",
],
mail_enabled = True,
mail_nickname = "golfassist",
security_enabled = False,
)
result = await graph_client.administrative_units.by_administrative_unit_id('administrativeUnit-id').members.post(request_body)
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.