Microsoft Entra ID is a cloud-based identity and access management service that helps you manage users, groups, devices, and applications across your organization. With Microsoft Entra ID, you can assign roles to users or groups that grant them permissions to perform specific tasks or access certain resources.
One of the features of Microsoft Entra ID is the ability to create and manage administrative units. An administrative unit is a container for other Microsoft Entra resources, such as users, groups, or devices. You can use administrative units to delegate management scope to different teams or regions within your organization.
In this article, we will show you how to manage administrative units in Microsoft Entra ID with PowerShell. You will learn how to create, delete, list, and update administrative units using PowerShell cmdlets and scripts.
What are Administrative Units?
Administrative units are a way of organizing Microsoft Entra resources into logical groups that have their own management scope. For example, you can create an administrative unit for each department or division within your organization and add the users or groups from that department or division as members of the administrative unit.
By using administrative units, you can apply role-based access control (RBAC) policies to specific portions of your organization that you define. For example, you can assign the Helpdesk Administrator role to regional support specialists who only need to manage users in their region.
Administrative units have some limitations and constraints that you should be aware of:
- Administrative units cannot be nested. That means you cannot create an administrative unit inside another administrative unit.
- Administrative units are not available in Microsoft Entra ID Governance.
- Adding a group to an administrative unit does not bring the group itself into the management scope of the administrative unit. Only the members of the group are added as members of the administrative unit.
- Permissions granted by roles over an administrative unit are limited by the permissions granted by roles over individual members of the group.
How to Create Administrative Units
To create an administrative unit in Microsoft Entra ID with PowerShell, follow these steps:
- Connect to Microsoft Graph PowerShell using Connect-MgGraph.
- Run the New-AzureADAdministrativeUnit cmdlet with the -DisplayName parameter set to a name for your new administrative unit.
- Optionally, run the Add-MgDirectoryRoleMember cmdlet with the -ObjectId parameter set to a role object ID and the -RefObjectId parameter set to a user or group object ID that you want to add as a member of your new administrative unit.
- Optionally, run the Set-MgDirectoryRoleTemplate cmdlet with the -TemplateId parameter set to a role template ID that defines additional permissions for your new role over your new administrative unit.
For example, to create an administrative unit named “Sales” and add two users as members, you can run these commands:
Connect-MgGraph
New-AzureADAdministrativeUnit -DisplayName "Sales"
Add-MgDirectoryRoleMember -ObjectId "a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6" -RefObjectId "a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6"
Set-MgDirectoryRoleTemplate -TemplateId "a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6"
You should see something like this:
Name : Sales
Description : A sales team
CreatedDateTime : 2023-10-25T12:34:56Z
ObjectID : 12345678-1234-1234-1234-123456789012
ParentObjectID : null
Members : {a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6}
Roles : {a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6}
Templates : {a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6}
You have successfully created an administrative unit named “Sales”.