Manage Groups in Microsoft 365 with Microsoft Graph PowerShell Cmdlets
Microsoft 365 is a powerful suite of productivity tools used by organizations worldwide. Within this ecosystem, groups are a fundamental feature that enables efficient collaboration and access control. Managing these groups is essential for ensuring security and productivity. While the Exchange and Entra admin center provides a graphical way to manage groups in Microsoft 365, PowerShell offers an advanced and scriptable approach for bulk management.
We prefer the Graph PowerShell SDK because it’s a wise choice due to Microsoft’s deprecation of Azure AD and MS Online PowerShell modules.
In this blog, we’ll explore the top Microsoft Graph PowerShell cmdlets for streamlining administrative tasks in managing groups in Microsoft 365.
Here is the essential list of MS Graph PowerShell operations that every admin should know when it comes to managing groups!
- Create a group in Microsoft 365
- Get the list of all Office 365 groups
- Get the list of members in a group
- Get groups a user is a member of
- Add a user to a group
- Add bulk users to a group
- Add a user to bulk groups
- Add an owner to a group in Azure AD
- Remove a user from a group in Microsoft 365
- Remove multiple users from a group
- Remove a user from bulk groups
- Remove an owner from a group
- Create a dynamic group in Azure AD
- Update Entra ID group properties
- Assign licenses to Azure AD groups
- Remove groups in Microsoft 365
Before getting started to effectively and efficiently manage groups in Microsoft 365, make sure to connect to the Microsoft Graph PowerShell. Proceed the connection with the global administrator or at least with the group administrator privileges along with the following scopes.
- Directory.ReadWrite.All
- Group.ReadWrite.All
- GroupMember.ReadWrite.All
- User.Read.All
To create a group in your Microsoft 365 tenant, execute the “New-MgGroup” cmdlet as demonstrated here.
$params = @{ displayName = <GroupName> description = <GroupDescription> groupTypes = @("Unified") mailEnabled = <$trueOr$false> mailNickname = <MailName> securityEnabled = <$trueOr$false> } New-MgGroup -BodyParameter $params
Replace the appropriate values in the above cmdlet for the creation of a Microsoft 365 group. To create a security group, just skip the ‘GroupTypes’ parameter.
To retrieve a list of all groups within your tenant, you can simply execute the following cmdlet:
Get-MgGroup –All
You can also use Microsoft365DSC export cmdlet to get all the groups in your Microsoft 365 tenant.
To view the list of members or users within an Entra ID (Azure AD) group, you’ll need the object id of that group. So, begin by obtaining the group id for the specific group using the ‘Get-MgGroup’ cmdlet.
Then, execute the “Get-MgGroupMember” cmdlet to view the group membership.
Get-MgGroupMember -GroupId <GroupObjectID> | ForEach-Object { [PSCustomObject]@{ DisplayName = $_.AdditionalProperties.displayName UserID = $_.Id } } | Select-Object -Property DisplayName, UserID
Note: You can use the pre-built PowerShell script to export Microsoft 365 group report with their membership details. Additionally, you can audit M365 group membership changes using PowerShell.
In a similar way, you can use the “Get-MgGroupOwner” cmdlet to view the owners of the group.
Get-MgGroupOwner -GroupId <GroupObjectID> | ForEach-Object { [PSCustomObject]@{ DisplayName = $_.AdditionalProperties.displayName UserID = $_.Id } } | Select-Object -Property DisplayName, UserID
To find the groups where a user is a member, you can use the “Get-MgUserMemberOf” cmdlet with the user id. Here’s the demonstration:
Get-MgUserMemberOf -UserID <UserID> | ForEach-Object { [PSCustomObject]@{ DisplayName = $_.AdditionalProperties.displayName Id = $_.Id } } | Select-Object -Property DisplayName, Id
To know the user id of the respective users you can execute the cmdlet “Get-MgUser -UserId <UPN> “.
Note: You can also download the pre-built PowerShell script to get a more detailed report on group membership of a user.
Similarly, you can use the “Get-MgUserOwnedObject” cmdlet to list the groups where a user is the owner.
Get-MgUserOwnedObject -UserID <UserID> | ForEach-Object { [PSCustomObject]@{ DisplayName = $_.AdditionalProperties.displayName Id = $_.Id } } | Select-Object -Property DisplayName, Id
Monitoring groups can be made even easier with the free Microsoft 365 reporting tool by AdminDroid. The tool offers 120+ free Entra reports, including 20+ group reports, and extends its capabilities across multiple Microsoft 365 services with over 1800 reports and 30+ dashboards!
Managing Microsoft 365 users using PowerShell is another crucial task for admins, similar to managing group owners. To add a new user to a group, execute the “Get-MgGroupMember” cmdlet with the group id and user id as demonstrated below.
New-MgGroupMember -GroupId <GroupObjectID> -DirectoryObjectId <UserID>
To add bulk users to a group, first, create a CSV file with the user IDs. After the CSV file creation, just execute the forthcoming cmdlet with the file location and group object id.
Import-Csv <FileLocation> | Foreach {New-MgGroupMember -GroupId <GroupObjectID> -DirectoryObjectId $_.UserID}
Sample input file:
To add a user to multiple groups, first, create a CSV file with the list of group ids. Thereafter, execute the forthcoming cmdlet.
Import-Csv <FileLocation> | Foreach {New-MgGroupMember -GroupId $_.GroupObjectID -DirectoryObjectId <UserID>}
Replace <FileLocation> with the CSV file location and <UserID> with the appropriate user id who needs to be added to the groups.
Sample input file:
In Graph PowerShell, you can use the “New-MgGroupOwner” cmdlet to add an owner to a group.
New-MgGroupOwner -GroupId <GroupObjectID> -DirectoryObjectId <Owner’sUserID>
Here, replace the <GroupObjectID> with the appropriate group id and <Owner’sUserID> with the user’s id who needs to be added as an owner.
The execution of the below cmdlet removes a user from a group in Microsoft 365.
Remove-MgGroupMemberByRef -GroupId <GroupObjectID> -DirectoryObjectId <UserID>
Replace the group object id and user id with the cmdlet.
Note: This cmdlet only has the ability to remove the members from the group. It doesn’t remove the owners from the Entra ID groups.
To remove bulk users from an Azure AD (EntraID) group, first, create a CSV file with a list of User IDs. Thereafter, execute the ‘Remove-MgGroupMemberByRef’ cmdlet as demonstrated below.
Import-Csv <FileLocation> | Foreach {Remove-MgGroupMemberByRef -GroupId <GroupObjectID> -DirectoryObjectId $_.UserID}
Here, replace <FileLocation> with the CSV file location and <GroupObjectID> with the appropriate group ID, from which the users need to be removed.
Sample input file:
To remove a user from multiple groups, first, create a CSV file with the list of group object IDs. Thereafter, execute the forthcoming cmdlet.
Import-Csv <FileLocation> | Foreach {Remove-MgGroupMemberByRef -GroupId $_.GroupObjectID -DirectoryObjectId <UserID>}
Replace <FileLocation> with the CSV file location and <UserID> with the appropriate user id that needs to be removed from multiple groups.
Sample input file:
You can use the “Remove-MgGroupOwnerByRef” cmdlet to remove an owner from a group.
Remove-MgGroupOwnerByRef -GroupId <GroupObjectID> -DirectoryObjectId <Owner’sUserID>
Replace the group object id and user id of an owner in the above cmdlet.
Note: Please note that this cmdlet is specifically designed for removing group owners and it can’t be used to remove members from the group.
You can create dynamic groups in Entra ID using the Graph PowerShell cmdlet ‘New-MgGroup’, with the ‘MembershipRule’ and ‘MembershipRuleProcessingState’ parameters.
$params = @{ DisplayName = <GroupName> Description = <GroupDescription> MailNickname = <MailName> MailEnabled = <$trueOr$false> SecurityEnabled = <$trueOr$false> GroupTypes = @("DynamicMembership") MembershipRule = <MemberShipRule> MembershipRuleProcessingState = "on" } New-MgGroup -BodyParameter $params
In the above cmdlet, a dynamic group is created by adding users from the ‘R&D’ department.
You can modify Azure AD group attributes by employing the “Update-MgGroup” cmdlet, specifying the desired values for the updates.
$params = @{ DisplayName = <NewGroupName> Description = <NewGroupDescription> MailNickname = <NewMailName> } Update-MgGroup -GroupId <GroupObjectID> -BodyParameter $params
When you execute the above cmdlet, it seamlessly updates the display name, description, and mail nickname of the group with the newly provided values. If desired, you can also update your group profile photo using the “Set-MgGroupPhotoContent” cmdlet in MS Graph PowerShell.
Microsoft’s group-based licensing enables you to allocate license subscriptions to Azure AD groups. Assigning licenses directly to a group saves administrators time by eliminating the need to individually apply licenses to each user.
Before assigning a license to the group, it is crucial to know the appropriate ‘SkuId’, as it is required for the license assignment through PowerShell. To find the ‘SkuId’ for a specific license, you can execute the following cmdlet:
Get-MgSubscribedSku –All
Then, you can assign a license to a group in Microsoft 365, using the “Set-MgGroupLicense” cmdlet as demonstrated below.
Set-MgGroupLicense -GroupId <GroupObjectID> -AddLicenses @{SkuId= <SkuId>} -RemoveLicenses @()
To delete a group in Microsoft 365, you can use the “Remove-MgGroup” cmdlet.
Remove-MgGroup -GroupId <GroupId>
If you want to restore a deleted Microsoft 365 Group using MS Graph, run “Restore-MgDirectoryDeletedItem” cmdlet along with the group identifier.
Note: If you wish to automatically delete specific groups within a designated time frame in Microsoft 365, you can consider configuring the group expiration policy.
Closing Lines
By mastering these PowerShell cmdlets and exploring more advanced options, you’ll be better equipped to manage groups in Microsoft 365 effectively. If you need additional assistance with MS Graph PowerShell scripts or have any questions, feel free to reach out. Stay tuned for more insights and practical guidance on Microsoft 365 administration.
