Remove users, groups, or devices from an administrative unit

When users, groups, or devices in an administrative unit no longer need access, you can remove them.

Prerequisites

  • Microsoft Entra ID P1 or P2 license for each administrative unit administrator
  • Microsoft Entra ID Free licenses for administrative unit members
  • Privileged Role Administrator
  • Microsoft Graph PowerShell module when using PowerShell
  • Admin consent when using Graph Explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Microsoft Entra admin center

You can remove users, groups, or devices from administrative units individually using the Microsoft Entra admin center. You can also remove users in a bulk operation.

Remove a single user, group, or device from administrative units

Tip

Steps in this article might vary slightly based on the portal you start from.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity.

  3. Browse to one of the following:

    • Users > All users
    • Groups > All groups
    • Devices > All devices
  4. Select the user, group, or device you want to remove from an administrative unit.

  5. Select Administrative units.

  6. Add check marks next to the administrative units you want to remove the user, group, or device from.

  7. Select Remove from administrative unit.

    Screenshot of Devices and Administrative units page with Remove from administrative unit option.

Remove users, groups, or devices from a single administrative unit

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity > Roles & admins > Admin units.

  3. Select the administrative unit that you want to remove users, groups, or devices from.

  4. Select one of the following:

    • Users
    • Groups
    • Devices
  5. Add check marks next to the users, groups, or devices you want to remove.

  6. Select Remove member, Remove, or Remove device.

    Screenshot showing a list users in an administrative unit with check marks and a Remove member option.

Remove users from an administrative unit in a bulk operation

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity > Roles & admins > Admin units.

  3. Select the administrative unit that you want to remove users from.

  4. Select Users > Bulk operations > Bulk remove members.

    Screenshot showing the "Bulk remove members" link on the "Users" pane.

  5. In the Bulk remove members pane, download the comma-separated values (CSV) template.

  6. Edit the downloaded CSV template with the list of users you want to remove.

    Add one user principal name (UPN) in each row. Don't remove the first two rows of the template.

  7. Save your changes and upload the CSV file.

  8. Select Submit.

PowerShell

Use the Remove-MgDirectoryAdministrativeUnitMemberByRef command to remove users, groups, or devices from an administrative unit.

Remove users from an administrative unit

$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'Test administrative unit 2'"
$userObj = Get-MgUser -Filter "UserPrincipalName eq '[email protected]'"
Remove-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -DirectoryObjectId $userObj.Id

Remove groups from an administrative unit

$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'Test administrative unit 2'"
$groupObj = Get-MgGroup -Filter "DisplayName eq 'TestGroup'"
Remove-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -DirectoryObjectId $groupObj.Id

Remove devices from an administrative unit

Remove-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -DirectoryObjectId $deviceObj.Id

Microsoft Graph API

Use the Remove a member API to remove users, groups, or devices from an administrative unit. For {member-id}, specify the user, group, or device ID.

Remove users, groups, or devices from an administrative unit

DELETE https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}/members/{member-id}/$ref

Next steps