title | description | author | manager | ms.service | ms.topic | ms.subservice | ms.date | ms.author | ms.reviewer | ms.custom |
---|---|---|---|---|---|---|---|---|---|---|
List users, groups, or devices in an administrative unit |
List users, groups, or devices in an administrative unit in Microsoft Entra ID. |
rolyon |
amycolannino |
entra-id |
how-to |
role-based-access-control |
06/09/2023 |
rolyon |
anandy |
oldportal, it-pro, has-azure-ad-ps-ref, azure-ad-ref-level-one-done |
In Microsoft Entra ID, you can list the users, groups, or devices in administrative units.
- Microsoft Entra ID P1 or P2 license for each administrative unit administrator
- Microsoft Entra ID Free licenses for administrative unit members
- Microsoft Graph PowerShell SDK installed when using PowerShell
- Admin consent when using Graph Explorer for Microsoft Graph API
For more information, see Prerequisites to use PowerShell or Graph Explorer.
You can list the users, groups, or devices in administrative units using the Microsoft Entra admin center.
[!INCLUDE portal updates]
-
Sign in to the Microsoft Entra admin center.
-
Browse to Identity.
-
Browse to one of the following:
- Users > All users
- Groups > All groups
- Devices > All devices
-
Select the user, group, or device you want to list their administrative units.
-
Select Administrative units to list all the administrative units where the user, group, or device is a member.
-
Sign in to the Microsoft Entra admin center.
-
Browse to Identity > Roles & admins > Admin units.
-
Select the administrative unit that you want to list the users, groups, or devices for.
-
Select one of the following:
- Users
- Groups
- Devices
-
Sign in to the Microsoft Entra admin center.
-
Browse to Identity > Devices > All devices.
-
Select the filter for administrative unit.
-
Select the administrative unit whose devices you want to list.
-
Sign in to the Microsoft Entra admin center.
-
Browse to Identity.
-
Browse to one of the following:
- Users > All users
- Groups > All groups
-
Select the user or group you want to list their restricted management administrative units.
-
Select Administrative units to list all the administrative units where the user or group is a member.
-
In the Restricted management column, look for administrative units that are set to Yes.
Use the Get-MgDirectoryAdministrativeUnit and Get-MgDirectoryAdministrativeUnitMember commands to list users, groups, or devices for an administrative unit.
Note
By default, Get-MgDirectoryAdministrativeUnitMember returns only top members of an administrative unit. To retrieve all members, add the -All:$true
parameter.
$userObj = Get-MgUser -Filter "UserPrincipalName eq 'bill@example.com'"
Get-MgDirectoryAdministrativeUnit | `
where { Get-MgDirectoryAdministrativeUnitMember -AdministrativeUnitId $_.Id | `
where {$_.Id -eq $userObj.Id} }
$groupObj = Get-MgGroup -Filter "DisplayName eq 'TestGroup'"
Get-MgDirectoryAdministrativeUnit | `
where { Get-MgDirectoryAdministrativeUnitMember -AdministrativeUnitId $_.Id | `
where {$_.Id -eq $groupObj.Id} }
$deviceObj = Get-MgDevice -Filter "DisplayName eq 'Test device'"
Get-MgDirectoryAdministrativeUnit | `
where { Get-MgDirectoryAdministrativeUnitMember -AdministrativeUnitId $_.Id | `
where {$_.Id -eq $deviceObj.Id} }
$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'Test administrative unit 2'"
Get-MgDirectoryAdministrativeUnitMember -AdministrativeUnitId $adminUnitObj.Id
$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'Test administrative unit 2'"
foreach ($member in (Get-MgDirectoryAdministrativeUnitMember -AdministrativeUnitId $adminUnitObj.Id))
{
if($member.AdditionalProperties."@odata.type" -eq "#microsoft.graph.group")
{
Get-MgGroup -GroupId $member.Id
}
}
$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'Test administrative unit 2'"
foreach ($member in (Get-MgDirectoryAdministrativeUnitMember -AdministrativeUnitId $adminUnitObj.Id))
{
if($member.AdditionalProperties.ObjectType -eq "Device")
{
Get-MgDevice -DeviceId $member.Id
}
}
Use the user List memberOf API to list the administrative units a user is a direct member of.
GET https://graph.microsoft.com/v1.0/users/{user-id}/memberOf/$/Microsoft.Graph.AdministrativeUnit
Use the group List memberOf API to list the administrative units a group is a direct member of.
GET https://graph.microsoft.com/v1.0/groups/{group-id}/memberOf/$/Microsoft.Graph.AdministrativeUnit
Use the List device memberships API to list the administrative units a device is a direct member of.
GET https://graph.microsoft.com/v1.0/devices/{device-id}/memberOf/$/Microsoft.Graph.AdministrativeUnit
Use the List members API to list the users, groups, or devices for an administrative unit. For member type, specify microsoft.graph.user
, microsoft.graph.group
, or microsoft.graph.device
.
GET https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}/members/$/microsoft.graph.group
Use the Get a user (beta) API to determine whether a user is in a restricted management administrative unit. Look at the value of the isManagementRestricted
property. If the property is true
, it is in a restricted management administrative unit. If the property is false
, empty, or null, it is not in a restricted management administrative unit.
GET https://graph.microsoft.com/beta/users/{user-id}
Response
{
"displayName": "John",
"isManagementRestricted": true,
"userPrincipalName": "john@contoso.com",
}