Administrative units in Azure AD

Administrative units in Azure AD

Administrative units in Azure Active Directory

Administrative units is an Azure AD features. She contains only users, groups or devices and permit to restrict permissions in a role. One user can be members of multiple administrative units(by division and country for example.


The administrative units can’t be nested. Administrators of user accounts in the administrative unit are unable to create or delete user accounts. Adding a group to an administrative unit adds it to the administrative unit’s management perimeter. The member of the group are not added to this perimeter. It will therefore be possible for an administrator scoped to administrative units to perform only the following operations

  • Manage the name of the group
  • Manage the membership of the group

Administrative units requires an Azure AD P1 license for each administrative unit administrator. Each administrative unit member must be hve an Azure AD free license.

Manage administrative units

Administrative units can be managing with Azure Portal, Powershell CmdLets , Scripts or Microsoft Graph API.

Create administrative units

For create administrative units, the license must be assigned to the administrative unit administrator (Azure AD P1) and to the members (Azure AD free). The role Privileged Role Administrator or Global Administrator is a prerequisites for create administrative units.

From the Azure portal, select Azure Active Directory then Administrative units. Click on Add to add new Administrative units.

Select Administrative units

Enter the name then click on Next.

Enter the name of the Administrative units

Select the desired roles then add the desired User Administrator. Click on Add then on Review + Create.

Selet Azure ad users

Administrative Units is created.

Administrative units is created

Add Azure AD object

Select the desired Administrative unit then click on the desired objects types (Users, Groups or Devices) then click on Add member. I choose the User administrator roles, so i add user account.

add member

Select the desired object then click on Select. The object has been added.

Add desired users

Add administrator of Administrative unit

From the Azure AD portal, click on Azure Active Directory then on Roles and administrators. Select the desired role.

Select the desired roles

Click on Add assignments in the central blade.

Add assignements

Select Administrative unit in Scope type then select a user.

Select Administrative unit in scope type

Click on No scope selected then select the desired Administrative unit.

Choose the scope

Account has been added.

Test Administrative unit

We can now test the administrative units. I used my user account for connect to the Azure AD portal. This user has no administrative right. He is only administrator user of the administrative unit.

User is only administrator of administrative unit

User has no right on the devices blade.

no permission in the device blade

I try to edit properties for one user that is not on the scope of the administrative unit. The user modify the properties.

I cant edit properties

If I try to edit properties to the user in the scope. The operation can be processed.

action can be processed

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.