If you have been using Microsoft Graph API to add or modify users in Azure Active Directory (Azure AD) you may have noticed that when you create a new user it lives with all the other users, some of which may have nothing to do with your application. Ideally, you may want a sub-directory or business unit of sorts. Fortunately, there are ways to segment these users in a more practical way. There are currently two ways to do this: Groups and Administrative Units.

GROUPS

Groups are pretty straight forward and the name says it all. You can create a basic group using the Azure AD portal. See here for detailed instructions on how to create a basic group and add members.

ADMINISTRATIVE UNITS

An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. In this preview release, these resources can be only users. For example, an administrative unit-scoped User account admin can update profile information, reset passwords, and assign licenses for users only in their administrative unit.

You can use administrative units to delegate administrative permissions over subsets of users and applying policies to a subset of users. You can use administrative units to delegate permissions to regional administrators or to set policy at a granular level.

Check out these demo scripts to help get you started and the MS Graph API administrativeUnit resource type. You can find more information about Administrative Units here.

NOTE:

ADMINISTRATIVE UNITS IS CURRENTLY IN PREVIEW AND CAN ONLY BE DONE VIA POWERSHELL CMDLETS OR WITH MS GRAPH BETA REST ENDPOINT AT THE MOMENT.

Leave a Comment