Skip to content

admin-units-members-remove.md

Latest commit

 

History

History
132 lines (80 loc) · 5.71 KB

admin-units-members-remove.md

File metadata and controls

132 lines (80 loc) · 5.71 KB
title Remove users, groups, or devices from an administrative unit
description Remove users, groups, or devices from an administrative unit in Microsoft Entra ID
ms.topic how-to
ms.date 01/03/2025
ms.reviewer anandy
ms.custom oldportal, it-pro, has-azure-ad-ps-ref, azure-ad-ref-level-one-done, sfi-image-nochange

Remove users, groups, or devices from an administrative unit

When users, groups, or devices in an administrative unit no longer need access, you can remove them.

Prerequisites

  • Microsoft Entra ID P1 or P2 license for each administrative unit administrator
  • Microsoft Entra ID Free licenses for administrative unit members
  • Privileged Role Administrator
  • Microsoft Graph PowerShell module when using PowerShell
  • Admin consent when using Graph Explorer for Microsoft Graph API

For more information, see Prerequisites to use PowerShell or Graph Explorer.

Admin center

You can remove users, groups, or devices from administrative units individually using the Microsoft Entra admin center. You can also remove users in a bulk operation.

Remove a single user, group, or device from administrative units

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Entra ID.

  3. Browse to one of the following:

    • Users > All users
    • Groups > All groups
    • Devices > All devices

  4. Select the user, group, or device you want to remove from an administrative unit.

  5. Select Administrative units.

  6. Add check marks next to the administrative units you want to remove the user, group, or device from.

  7. Select Remove from administrative unit.

    :::image type="content" source="./media/admin-units-members-remove/device-admin-unit-remove.png" alt-text="Screenshot of Devices and Administrative units page with Remove from administrative unit option." lightbox="./media/admin-units-members-remove/device-admin-unit-remove.png":::

Remove users, groups, or devices from a single administrative unit

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Entra ID > Roles & admins > Admin units.

  3. Select the administrative unit that you want to remove users, groups, or devices from.

  4. Select one of the following:

    • Users
    • Groups
    • Devices

  5. Add check marks next to the users, groups, or devices you want to remove.

  6. Select Remove member, Remove, or Remove device.

    :::image type="content" source="./media/admin-units-members-remove/admin-units-remove-user.png" alt-text="Screenshot showing a list of users in an administrative unit with check marks and a Remove member option." lightbox="./media/admin-units-members-remove/admin-units-remove-user.png":::

Remove users from an administrative unit in a bulk operation

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Entra ID > Roles & admins > Admin units.

  3. Select the administrative unit that you want to remove users from.

  4. Select Users > Bulk operations > Bulk remove members.

    :::image type="content" source="./media/admin-units-members-remove/bulk-user-remove.png" alt-text="Screenshot of Users page that shows the Bulk remove members link." lightbox="./media/admin-units-members-remove/bulk-user-remove.png":::

  5. In the Bulk remove members pane, download the comma-separated values (CSV) template.

  6. Edit the downloaded CSV template with the list of users you want to remove.

    Add one user principal name (UPN) in each row. Don't remove the first two rows of the template.

  7. Save your changes and upload the CSV file.

  8. Select Submit.

PowerShell

Use the Remove-MgDirectoryAdministrativeUnitMemberByRef command to remove users, groups, or devices from an administrative unit.

Remove users from an administrative unit

$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'Test administrative unit 2'"
$userObj = Get-MgUser -Filter "UserPrincipalName eq '[email protected]'"
Remove-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -DirectoryObjectId $userObj.Id

Remove groups from an administrative unit

$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'Test administrative unit 2'"
$groupObj = Get-MgGroup -Filter "DisplayName eq 'TestGroup'"
Remove-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -DirectoryObjectId $groupObj.Id

Remove devices from an administrative unit

Remove-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $adminUnitObj.Id -DirectoryObjectId $deviceObj.Id

Graph API

Use the Remove a member API to remove users, groups, or devices from an administrative unit. For {member-id}, specify the user, group, or device ID.

DELETE https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}/members/{member-id}/$ref

Next steps