AdministrativeUnit.ReadWrite.All
Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated
Read/Write
All Resources
Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a signed-in user.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Read and write all administrative units
Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a signed-in user.
Permission ID:
5eb59dd3-1da2-4329-8733-9dabdc435916
Delegated Permission
Admin consent required
Read and write administrative units
Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user.
User sees: Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on your behalf.
Permission ID:
7b8a2d34-6b3f-4542-a343-54651608ad81
Properties
Microsoft Graph v1.0
exact-category-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
description |
StringNullable |
An optional description for the administrative unit. Supports $filter (eq, ne, in, startsWith), $search. |
displayName |
StringNullable |
Display name for the administrative unit. Maximum length is 256 characters. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderby. |
id |
String |
Unique identifier for the administrative unit. Read-only. Supports $filter (eq). |
isMemberManagementRestricted |
BooleanNullable |
true if members of this administrative unit should be treated as sensitive, which requires specific permissions to manage. If not set, the default value is null and the default behavior is false. Use this property to define administrative units with roles that don't inherit from tenant-level administrators, and where the management of individual member objects is limited to administrators scoped to a restricted management administrative unit. This property is immutable and can't be changed later. , , For more information on how to work with restricted management administrative units, see Restricted management administrative units in Microsoft Entra ID. |
membershipRule |
StringNullable |
The dynamic membership rule for the administrative unit. For more information about the rules you can use for dynamic administrative units and dynamic groups, see Manage rules for dynamic membership groups in Microsoft Entra ID. |
membershipRuleProcessingState |
StringNullable |
Controls whether the dynamic membership rule is actively processed. Set to On to activate the dynamic membership rule, or Paused to stop updating membership dynamically. |
membershipType |
StringNullable |
Indicates the membership type for the administrative unit. The possible values are: dynamic, assigned. If not set, the default value is null and the default behavior is assigned. |
visibility |
StringNullable |
Controls whether the administrative unit and its members are hidden or public. Can be set to HiddenMembership. If not set, the default value is null and the default behavior is public. When set to HiddenMembership, only members of the administrative unit can list other members of the administrative unit. |
deletedDateTime |
date-timeNullable |
Date and time when this object was deleted. Always null when the object hasn't been deleted. |
extensions |
extension collection |
The collection of open extensions defined for this administrative unit. Nullable. |
members |
directoryObject collection |
Users and groups that are members of this administrative unit. Supports $expand. |
scopedRoleMembers |
scopedRoleMembership collection |
Scoped-role members of this administrative unit. |
JSON Representation
Microsoft Graph v1.0
exact-category-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"description": "String",
"displayName": "String",
"id": "String (identifier)",
"isMemberManagementRestricted": "Boolean",
"membershipRule": "String",
"membershipRuleProcessingState": "String",
"membershipType": "String",
"visibility": "String"
}Relationships
Microsoft Graph v1.0
exact-category-docs
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
members |
directoryObject collection |
Users and groups that are members of this administrative unit. Supports $expand. |
extensions |
extension collection |
The collection of open extensions defined for this administrative unit. Nullable. |
scopedRoleMembers |
scopedRoleMembership collection |
Scoped-role members of this administrative unit. |
deletedMembers |
directoryObject collection |
Related deletedMembers data exposed by this resource. |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
C# / .NET SDK
Add a member
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ReferenceCreate
{
OdataId = "https://graph.microsoft.com/v1.0/groups/{id}",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Directory.AdministrativeUnits["{administrativeUnit-id}"].Members.Ref.PostAsync(requestBody);
JavaScript
Add a member
const options = {
authProvider,
};
const client = Client.init(options);
const directoryObject = {
'@odata.id':'https://graph.microsoft.com/v1.0/groups/{id}'
};
await client.api('/directory/administrativeUnits/{id}/members/$ref')
.post(directoryObject);
PowerShell
Add a member
Import-Module Microsoft.Graph.Identity.DirectoryManagement
$params = @{
"@odata.id" = "https://graph.microsoft.com/v1.0/groups/{id}"
}
New-MgDirectoryAdministrativeUnitMemberByRef -AdministrativeUnitId $administrativeUnitId -BodyParameter $params
Python
Add a member
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.reference_create import ReferenceCreate
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ReferenceCreate(
odata_id = "https://graph.microsoft.com/v1.0/groups/{id}",
)
await graph_client.directory.administrative_units.by_administrative_unit_id('administrativeUnit-id').members.ref.post(request_body)App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions or delegated permissions and search for AdministrativeUnit.ReadWrite.All
4
Grant Admin Consent
Application permissions always require admin consent.