Administrative units in Microsoft Entra ID

This article describes administrative units in Microsoft Entra ID. An administrative unit is a Microsoft Entra resource that can be a container for other Microsoft Entra resources. An administrative unit can contain only users, groups, or devices.

Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the Helpdesk Administrator role to regional support specialists, so they can manage users only in the region that they support. Note that if you assign a role to a user that is not a member of an administrative unit, the scope of the role is the entire tenant.

Users can be members of multiple administrative units. For example, you might add users to administrative units by geography and division; Megan Bowen might be in the "Seattle" and "Marketing" administrative units.

Deployment scenario

It can be useful to restrict administrative scope by using administrative units in organizations that are made up of independent divisions of any kind. Consider the example of a large university that's made up of many autonomous schools (School of Business, School of Engineering, and so on). Each school has a team of IT admins who control access, manage users, and set policies for their school.

A central administrator could:

  • Create an administrative unit for the School of Business.
  • Populate the administrative unit with only students and staff within the School of Business.
  • Create a role with administrative permissions over only Microsoft Entra users in the School of Business administrative unit.
  • Add the business school IT team to the role, along with its scope.

Screenshot of Devices and Administrative units page with Remove from administrative unit option.

Constraints

Here are some of the constraints for administrative units.

Groups

Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group. In other words, an administrator scoped to the administrative unit can manage properties of the group, such as group name or membership, but they cannot manage properties of the users or devices within that group (unless those users and devices are separately added as members of the administrative unit).

For example, a User Administrator scoped to an administrative unit that contains a group can and can't do the following:

Permissions Can do
Manage the name of the group
Manage the membership of the group
Manage the user properties for individual members of the group
Manage the user authentication methods of individual members of the group
Reset the passwords of individual members of the group

In order for the User Administrator to manage the user properties or user authentication methods of individual members of the group, the group members (users) must be added directly as members of the administrative unit.

License requirements

Using administrative units requires a Microsoft Entra ID P1 license for each administrative unit administrator who is assigned directory roles over the scope of the administrative unit, and a Microsoft Entra ID Free license for each administrative unit member. Creating administrative units is available with a Microsoft Entra ID Free license. If you are using rules for dynamic membership groups for administrative units, each administrative unit member requires a Microsoft Entra ID P1 license. To find the right license for your requirements, see Comparing generally available features of the Free and Premium editions.

Manage administrative units

You can manage administrative units by using the Microsoft Entra admin center, PowerShell cmdlets and scripts, or Microsoft Graph API. For more information, see:

Plan your administrative units

You can use administrative units to logically group Microsoft Entra resources. An organization whose IT department is scattered globally might create administrative units that define relevant geographical boundaries. In another scenario, where a global organization has suborganizations that are semi-autonomous in their operations, administrative units could represent the suborganizations.

The criteria on which administrative units are created are guided by the unique requirements of an organization. Administrative units are a common way to define structure across Microsoft 365 services. We recommend that you prepare your administrative units with their use across Microsoft 365 services in mind. You can get maximum value out of administrative units when you can associate common resources across Microsoft 365 under an administrative unit.

You can expect the creation of administrative units in the organization to go through the following stages:

  1. Initial adoption: Your organization will start creating administrative units based on initial criteria, and the number of administrative units will increase as the criteria are refined.
  2. Pruning: After the criteria are defined, administrative units that are no longer required will be deleted.
  3. Stabilization: Your organizational structure is defined, and the number of administrative units isn't going to change significantly in the short term.

Currently supported scenarios

As a Privileged Role Administrator, you can use the Microsoft Entra admin center to:

  • Create administrative units
  • Add users, groups, or devices as members of administrative units
  • Manage users or devices for an administrative unit with rules for dynamic membership groups (Preview)
  • Assign IT staff to administrative unit-scoped administrator roles.

Administrative unit-scoped admins can use the Microsoft 365 admin center for basic management of users in their administrative units. A group administrator with administrative unit scope can manage groups by using PowerShell, Microsoft Graph, and the Microsoft 365 admin centers.

Administrative units apply scope only to management permissions. They don't prevent members or administrators from using their default user permissions to browse other users, groups, or resources outside the administrative unit. In the Microsoft 365 admin center, users outside a scoped admin's administrative units are filtered out. But you can browse other users in the Microsoft Entra admin center, PowerShell, and other Microsoft services.

Note

Only the features described in this section are available in the Microsoft 365 admin center. No organization-level features are available for a Microsoft Entra role with administrative unit scope.

The following sections describe current support for administrative unit scenarios.

Administrative unit management

Permissions Microsoft Graph/PowerShell Microsoft Entra admin center Microsoft 365 admin center
Create or delete administrative units
Add or remove members
Assign administrative unit-scoped administrators
Add or remove users or devices dynamically based on rules (Preview)
Add or remove groups dynamically based on rules

User management

Permissions Microsoft Graph/PowerShell Microsoft Entra admin center Microsoft 365 admin center
Administrative unit-scoped management of user properties, passwords
Administrative unit-scoped management of user licenses
Administrative unit-scoped blocking and unblocking of user sign-ins
Administrative unit-scoped management of user multifactor authentication credentials

Group management

Permissions Microsoft Graph/PowerShell Microsoft Entra admin center Microsoft 365 admin center
Administrative unit-scoped creation and deletion of groups
Administrative unit-scoped management of group properties and membership for Microsoft 365 groups
Administrative unit-scoped management of group properties and membership for all other groups
Administrative unit-scoped management of group licensing

Device management

Permissions Microsoft Graph/PowerShell Microsoft Entra admin center Microsoft 365 admin center
Enable, disable, or delete devices
Read BitLocker recovery keys

Managing devices in Intune is not supported at this time.

Next steps