Remove users, groups, or devices from an administrative unit
When users, groups, or devices in an administrative unit no longer need access, you can remove them.
Prerequisites
- Microsoft Entra ID P1 or P2 license for each administrative unit administrator
- Microsoft Entra ID Free licenses for administrative unit members
- Privileged Role Administrator
- Microsoft Graph PowerShell module when using PowerShell
- Admin consent when using Graph Explorer for Microsoft Graph API
For more information, see Prerequisites to use PowerShell or Graph Explorer.
Microsoft Entra admin center
You can remove users, groups, or devices from administrative units individually using the Microsoft Entra admin center. You can also remove users in a bulk operation.
Remove a single user, group, or device from administrative units
Tip
Steps in this article might vary slightly based on the portal you start from.
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity.
Browse to one of the following:
- Users > All users
- Groups > All groups
- Devices > All devices
Select the user, group, or device you want to remove from an administrative unit.
Select Administrative units.
Add check marks next to the administrative units you want to remove the user, group, or device from.
Select Remove from administrative unit.
Remove users, groups, or devices from a single administrative unit
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity > Roles & admins > Admin units.
Select the administrative unit that you want to remove users, groups, or devices from.
Select one of the following:
- Users
- Groups
- Devices
Add check marks next to the users, groups, or devices you want to remove.
Select Remove member, Remove, or Remove device.
Remove users from an administrative unit in a bulk operation
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity > Roles & admins > Admin units.
Select the administrative unit that you want to remove users from.
Select Users > Bulk operations > Bulk remove members.
In the Bulk remove members pane, download the comma-separated values (CSV) template.
Edit the downloaded CSV template with the list of users you want to remove.
Add one user principal name (UPN) in each row. Don't remove the first two rows of the template.
Save your changes and upload the CSV file.
Select Submit.
PowerShell
Use the Remove-MgDirectoryAdministrativeUnitMemberByRef command to remove users, groups, or devices from an administrative unit.
Remove users from an administrative unit
$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'Test administrative unit 2'"
$userObj = Get-MgUser -Filter "UserPrincipalName eq '[email protected]'"
Remove-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -DirectoryObjectId $userObj.Id
Remove groups from an administrative unit
$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'Test administrative unit 2'"
$groupObj = Get-MgGroup -Filter "DisplayName eq 'TestGroup'"
Remove-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -DirectoryObjectId $groupObj.Id
Remove devices from an administrative unit
Remove-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -DirectoryObjectId $deviceObj.Id
Microsoft Graph API
Use the Remove a member API to remove users, groups, or devices from an administrative unit. For {member-id}
, specify the user, group, or device ID.
Remove users, groups, or devices from an administrative unit
DELETE https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}/members/{member-id}/$ref