Azure AD RBAC: Dynamic administrative units now in public preview for users & devices
Howdy folks,
As part of our series of announcements for Azure Active Directory (Azure AD) role-based access control (RBAC), I’m excited to share the public preview of dynamic administrative units.
With dynamic administrative units, you no longer have to manually manage membership of your administrative units (or write your own automation to manage it for you). Instead, Azure AD allows you to specify a query based on user or device attributes, and then maintains the membership for you.
Let's take a look at some of the cool things you can do with these new capabilities:
And you can check out the other announcements in the series here:
- Azure AD RBAC: Custom roles for app management now available
- Azure AD RBAC: Custom roles & administrative units for devices now available
Create a rule for easy user membership management
To create a dynamic membership rule, go to an administrative unit and click on the Properties tab. In this example, we have an administrative unit representing the Human Resources department.
On the Properties blade, set the Membership Type to Dynamic User. Then click Add dynamic query to create a dynamic rule.
Here we’ve used the rule builder to create a basic rule which includes all users whose department is “Human Resources.” You can also build more complex rules using the same syntax you use for dynamic groups (see this page for details on how to do so).
Once you’ve created the rule, click Save to save the rule syntax. Then, click Save again on the Properties blade to save the membership changes to the administrative unit. Within a few minutes, the dynamic groups engine will start to populate the administrative unit with the users that match the rule.
Now, you can go to the Roles and administrators tab to delegate administrative roles over the administrative unit and be assured that the scope will be automatically kept up to date by the dynamic membership engine.
In this example, we’re delegating the ability to manage passwords for employees in the Human Resources department by assigning the Password Administrator role scoped to the Human Resources administrative unit.
Note: We highly recommend assigning the Password Administrator role as an eligible assignment through Privileged Identity Management.
For more information on dynamic administrative units, check out our documentation.
What’s next
Moving forward, we’re looking at adding support for both users and devices in the same dynamic administrative unit and offering additional properties from which you can build dynamic queries. We're also working on more great features in the Azure AD RBAC area related to administrative units and custom roles. Stay tuned for coming announcements.
Best regards,
Alex Simons (Twitter: @Alex_A_Simons)
Corporate VP of Program Management
Microsoft Identity Division
Learn more about Microsoft identity:
- Related Articles: Azure AD RBAC: Custom roles & administrative units for devices now available / Azure AD RBAC: Custom roles for app management now available
- Return to the Azure Active Directory Identity blog home
- Join the conversation on Twitter and LinkedIn
- Share product suggestions on the Azure Feedback Forum
Published on:
Learn moreRelated posts
Copilot Studio – Environment-level agent telemetry export to Azure Application Insights (Preview)
We are announcing the ability for administrators to export Copilot Studio agent telemetry at the environment level to Azure Application Insigh...
See our new Azure Cosmos DB Design Patterns
Design patterns are where good data modeling lives or dies. In a NoSQL database like Azure Cosmos DB, the difference between a schema that sca...
Need a different partition key in Azure Cosmos DB? Pick the right approach
Once you create a container, its partition key is fixed at creation, and you can’t change it in place. However, if your original key starts ca...
Azure SDK Release (June 2026)
Azure SDK releases every month. In this post, you'll find this month's highlights and release notes. The post Azure SDK Release (June 2026) ap...
Fundamentals of Azure DevOps with SQL projects
Building automated pipelines with your SQL database projects enables you to build a rich CI/CD ecosystem to ensure that your application is be...
Upcoming Change: NTLM Removal in Git (libcurl) – Impact to Azure DevOps Server Customers
Overview In September 2026, NTLM support will be removed from libcurl, which is used by Git for HTTP(S) operations. As a result, Git operation...
What’s new across Microsoft SQL in 2026 so far (SQL Server, Azure SQL, and SQL database in Fabric)
We’re halfway through 2026, and Microsoft SQL has not slowed down. Since SQLCon/FabCon in March (where we released a ton of things, and those ...
Power Automate Flow — HTTP Trigger to Azure OpenAI
Build the secure Power Automate HTTP trigger flow that receives free text from the portal, calls Azure OpenAI using your smart-form-extract de...
Spring AI 2.0 is GA: Vector Search, Memory, and Agents on Azure Cosmos DB
The wait is over. Spring AI 2.0 is generally available, and Azure Cosmos DB is right there with it. With this release, Spring AI graduates int...