Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph
An administrative unit provides a conceptual container for user, group, and device directory objects. With administrative units, a company administrator can now delegate administrative responsibilities to manage the users, groups, and devices contained within or scoped to an administrative unit to a regional or departmental administrator. For more information about administrative units, see Administrative units in Microsoft Entra ID.
This resource is an open type that allows other properties to be passed in.
This resource supports:
- Adding your own data to custom properties as extensions.
- Using delta query to track incremental additions, deletions, and updates, by providing a delta function.
- OData query capabilities including $select,$filter,$search, and$top. Specific usages are supported only with Advanced query capabilities.
Methods
| Method | Return Type | Description | 
|---|---|---|
| Create | administrativeUnit | Create a new administrative unit. | 
| List | administrativeUnit collection | List properties of all administrativeUnits. | 
| Get | administrativeUnit | Read properties and relationships of a specific administrativeUnit object. | 
| Update | administrativeUnit | Update administrativeUnit object. | 
| Delete | None | Delete administrativeUnit object. | 
| Memberships | ||
| Add member | directoryObject | Add a member (user, group, or device). | 
| List members | directoryObject collection | Get the list of (user, group, or device) members. | 
| Get member | directoryObject | Get a specific member. | 
| Remove member | directoryObject | Remove a member. | 
| Role assignments | ||
| List role assignments with scope | scopedRoleMembership collection | List Microsoft Entra role assignments with administrative unit scope. | 
| Assign role with scope | scopedRoleMembership | Assign a Microsoft Entra role with administrative unit scope. | 
| Get role assignment with scope | scopedRoleMembership | Get a Microsoft Entra role assignment with administrative unit scope. | 
| Remove role assignment with scope | scopedRoleMembership | Remove a Microsoft Entra role assignment with administrative unit scope. | 
| Deleted items | ||
| List | directoryObject collection | Retrieve a list of recently deleted administrative units from a collection of directory objects. | 
| Get | directoryObject | Retrieve the properties of a recently deleted administrative unit object. | 
| Restore | directoryObject | Restore a recently deleted administrative unit object. | 
Properties
Important
Specific usage of $filter and the $search query parameter is supported only when you use the ConsistencyLevel header set to eventual and $count. For more information, see Advanced query capabilities on directory objects.
| Property | Type | Description | 
|---|---|---|
| description | String | An optional description for the administrative unit. Supports $filter(eq,ne,in,startsWith),$search. | 
| displayName | String | Display name for the administrative unit. Maximum length is 256 characters. Supports $filter(eq,ne,not,ge,le,in,startsWith, andeqonnullvalues),$search, and$orderby. | 
| id | String | Unique identifier for the administrative unit. Read-only. Supports $filter(eq). | 
| isMemberManagementRestricted | Boolean | trueif members of this administrative unit should be treated as sensitive, which requires specific permissions to manage. If not set, the default value isnulland the default behavior is false. Use this property to define administrative units with roles that don't inherit from tenant-level administrators, and where the management of individual member objects is limited to administrators scoped to a restricted management administrative unit. This property is immutable and can't be changed later.For more information on how to work with restricted management administrative units, see Restricted management administrative units in Microsoft Entra ID. | 
| membershipRule | String | The dynamic membership rule for the administrative unit. For more information about the rules you can use for dynamic administrative units and dynamic groups, see Manage rules for dynamic membership groups in Microsoft Entra ID. | 
| membershipRuleProcessingState | String | Controls whether the dynamic membership rule is actively processed. Set to Onto activate the dynamic membership rule, orPausedto stop updating membership dynamically. | 
| membershipType | String | Indicates the membership type for the administrative unit. The possible values are: dynamic,assigned. If not set, the default value isnulland the default behavior is assigned. | 
| visibility | String | Controls whether the administrative unit and its members are hidden or public. Can be set to HiddenMembership. If not set, the default value isnulland the default behavior is public. When set toHiddenMembership, only members of the administrative unit can list other members of the administrative unit. | 
Tip
Directory extensions and associated data are returned by default while schema extensions and associated data returned only on $select.
Relationships
| Relationship | Type | Description | 
|---|---|---|
| members | directoryObject collection | Users and groups that are members of this administrative unit. Supports $expand. | 
| extensions | extension collection | The collection of open extensions defined for this administrative unit. Nullable. | 
| scopedRoleMembers | scopedRoleMembership collection | Scoped-role members of this administrative unit. | 
JSON representation
The following JSON representation shows the resource type.
{
  "description": "String",
  "displayName": "String",
  "id": "String (identifier)",
  "isMemberManagementRestricted": "Boolean",
  "membershipRule": "String",
  "membershipRuleProcessingState": "String",
  "membershipType": "String",
  "visibility": "String"
}