🔧 New: User Management Graph PowerShell Toolkit
Simplify user tasks like bulk creation, updates, password resets, deletions, license checks & more — all from one place.
🚀 Launch ToolkitRemove-MgDirectoryAdministrativeUnit: Delete Administrative Units with Graph PowerShell
Administrative Units (AUs) help you scope administration in Microsoft Entra ID. When an AU is no longer needed, you can remove it safely with Remove-MgDirectoryAdministrativeUnit . Deleting an AU does not delete the users, groups, or devices inside it; it only removes the AU container and its scoped relationships.
i) Cmdlet Syntax
Remove-MgDirectoryAdministrativeUnit -AdministrativeUnitId <String> - Required permission (delegated): AdministrativeUnit.ReadWrite.All
- App-only equivalent: application permission with the same name (plus admin consent).
ii) Usage Examples
A) Single Administrative Unit Removal
$administrativeUnitId = "00000000-0000-0000-0000-000000000000"
# Remove without extra prompts
Remove-MgDirectoryAdministrativeUnit -AdministrativeUnitId $administrativeUnitId Tip: If you want a dry-run first, add -WhatIf.
B) Bulk Administrative Unit Removal (from CSV)
- CSV file (sample content)
- Bulk removal script
Save as aus-to-remove.csv:
AdministrativeUnitId
11111111-1111-1111-1111-111111111111
22222222-2222-2222-2222-222222222222
33333333-3333-3333-3333-333333333333$csvPath = "C:\temp\aus-to-remove.csv"
if (-not (Test-Path $csvPath)) { throw "CSV not found at $csvPath" }
$rows = Import-Csv -Path $csvPath
foreach ($row in $rows) {
$auId = $row.AdministrativeUnitId.Trim()
if ([string]::IsNullOrWhiteSpace($auId)) {
Write-Warning "Skipped a row with empty AdministrativeUnitId."
continue
}
try {
Remove-MgDirectoryAdministrativeUnit -AdministrativeUnitId $auId -Confirm:$false
Write-Host "Removed AU: $auId"
}
catch {
Write-Warning "Failed to remove AU '$auId'. Error: $($_.Exception.Message)"
}
}Make your life easier by keeping one AU ID per line under the AdministrativeUnitId header.
iii) Cmdlet Tips
- Least surprise: Use -WhatIf for a preview, then run Remove-MgDirectoryAdministrativeUnit once you’re confident.
- Permissions: You need AdministrativeUnit.ReadWrite.All. If consent is restricted, an admin must grant it.
- Finding the AU ID: If you only know the display name, look it up:
$au = Get-MgDirectoryAdministrativeUnit -Filter "displayName eq 'Sales Team AU'"
$au.Idiv) Possible Errors & Solutions
| Error | Cause | Solution |
|---|---|---|
| Authorization_RequestDenied or Insufficient privileges to complete the operation | Missing AdministrativeUnit.ReadWrite.All or consent not granted | Reconnect with the correct scope or have an admin grant consent (delegated or app-only). |
| Request_ResourceNotFound / Resource not found | AU ID doesn’t exist (typo, already deleted) | Verify the AU ID. In bulk deletes, continue past missing IDs; optionally pre-validate with Get-MgDirectoryAdministrativeUnit. |
| Forbidden | Caller lacks rights on this AU (scoped admin scenario) | Use an account/app with rights scoped to that AU or elevate permissions appropriately. |
| PreconditionFailed (412) when using -IfMatch | ETag mismatch due to concurrent change | Refresh the AU, get the latest ETag, and retry; or omit -IfMatch if you don’t need concurrency safeguards. |
| Throttling / intermittent failures | Service limits hit during bulk deletion | Add small delays or retry logic with backoff in your loop. |
Conclusion
Remove-MgDirectoryAdministrativeUnit gives you a fast, predictable way to retire AUs you no longer need—without touching the underlying users, groups, or devices. Start with a single AU removal when testing; then use the CSV-driven bulk pattern to clean up at scale. Add -WhatIf for safety, ensure the right permissions, and you’ll have an efficient AU lifecycle management in place.