Manage Groups in Microsoft 365 with Microsoft Graph PowerShell Cmdlets

Manage Groups in Microsoft 365 with Microsoft Graph PowerShell Cmdlets

Microsoft 365 is a powerful suite of productivity tools used by organizations worldwide. Within this ecosystem, groups are a fundamental feature that enables efficient collaboration and access control. Managing these groups is essential for ensuring security and productivity. While the Exchange and Entra admin center provides a graphical way to manage groups in Microsoft 365, PowerShell offers an advanced and scriptable approach for bulk management.

We prefer the Graph PowerShell SDK because it’s a wise choice due to Microsoft’s deprecation of Azure AD and MS Online PowerShell modules.

In this blog, we’ll explore the top Microsoft Graph PowerShell cmdlets for streamlining administrative tasks in managing groups in Microsoft 365.

Manage Groups in Microsoft 365 Using Graph PowerShell

Here is the essential list of MS Graph PowerShell operations that every admin should know when it comes to managing groups!

  1. Create a group in Microsoft 365
  2. Get the list of all Office 365 groups
  3. Get the list of members in a group
  4. Get groups a user is a member of
  5. Add a user to a group
  6. Add bulk users to a group
  7. Add a user to bulk groups
  8. Add an owner to a group in Azure AD
  9. Remove a user from a group in Microsoft 365
  10. Remove multiple users from a group
  11. Remove a user from bulk groups
  12. Remove an owner from a group
  13. Create a dynamic group in Azure AD
  14. Update Entra ID group properties
  15. Assign licenses to Azure AD groups
  16. Remove groups in Microsoft 365

Before getting started to effectively and efficiently manage groups in Microsoft 365, make sure to connect to the Microsoft Graph PowerShell. Proceed the connection with the global administrator or at least with the group administrator privileges along with the following scopes.

  • Directory.ReadWrite.All
  • Group.ReadWrite.All
  • GroupMember.ReadWrite.All
  • User.Read.All

1. Create a Group in Microsoft 365 Using MS Graph

To create a group in your Microsoft 365 tenant, execute the “New-MgGroup” cmdlet as demonstrated here.

$params = @{ 
    displayName = <GroupName> 
    description = <GroupDescription> 
    groupTypes = @("Unified") 
    mailEnabled = <$trueOr$false> 
    mailNickname = <MailName> 
    securityEnabled = <$trueOr$false> 
} 
New-MgGroup -BodyParameter $params 

Replace the appropriate values in the above cmdlet for the creation of a Microsoft 365 group. To create a security group, just skip the ‘GroupTypes’ parameter.

Create Groups in Microsoft 365 Using Graph PowerShell

2. Get the List of all Office 365 Groups using Graph PowerShell

To retrieve a list of all groups within your tenant, you can simply execute the following cmdlet:

Get-MgGroup –All

Get list of all groups- Manage groups in Microsoft 365

You can also use Microsoft365DSC export cmdlet to get all the groups in your Microsoft 365 tenant.

3. Get the List of Members in a Group Using PowerShell

To view the list of members or users within an Entra ID (Azure AD) group, you’ll need the object id of that group. So, begin by obtaining the group id for the specific group using the ‘Get-MgGroup’ cmdlet.

Then, execute the “Get-MgGroupMember” cmdlet to view the group membership.

Get-MgGroupMember -GroupId <GroupObjectID> | ForEach-Object {
    [PSCustomObject]@{
        DisplayName = $_.AdditionalProperties.displayName
        UserID = $_.Id
    }
} | Select-Object -Property DisplayName, UserID 

Get group membership report - Graph PowerShell

Note: You can also use the pre-built PowerShell script to export Microsoft 365 group report to CSV with their membership details.

In a similar way, you can use the “Get-MgGroupOwner” cmdlet to view the owners of the group.

Get-MgGroupOwner -GroupId <GroupObjectID> | ForEach-Object {
    [PSCustomObject]@{
        DisplayName = $_.AdditionalProperties.displayName
        UserID = $_.Id
    }
} | Select-Object -Property DisplayName, UserID 

View Owner of a group in Microsoft Graph PowerShell - Mange group in Microsoft 365

4. Get a List of Groups a User is a member of Using MS Graph

To find the groups where a user is a member, you can use the “Get-MgUserMemberOf” cmdlet with the user id. Here’s the demonstration:

Get-MgUserMemberOf -UserID <UserID> | ForEach-Object {
    [PSCustomObject]@{
        DisplayName = $_.AdditionalProperties.displayName
        Id = $_.Id
    }
} | Select-Object -Property DisplayName, Id 

List groups a user is member of

To know the user id of the respective users you can execute the cmdlet “Get-MgUser -UserId <UPN> “.

Note: You can also download the pre-built PowerShell script to get a more detailed report on group membership of a user.

Similarly, you can use the “Get-MgUserOwnedObject” cmdlet to list the groups where a user is the owner.

Get-MgUserOwnedObject -UserID <UserID> | ForEach-Object {
    [PSCustomObject]@{
        DisplayName = $_.AdditionalProperties.displayName
        Id = $_.Id
    }
} | Select-Object -Property DisplayName, Id

Get List of Team Where User Is Owner - Mange groups in Microsoft 365 using Graph PowerShell

Monitoring groups can be made even easier with the free Microsoft 365 reporting tool by AdminDroid. The tool offers 120+ free Entra reports, including 20+ group reports, and extends its capabilities across multiple Microsoft 365 services with over 1800 reports and 30+ dashboards!

5. Add a User to a Microsoft 365 Group Using PowerShell

Managing Microsoft 365 users using PowerShell is another crucial task for admins. To add a new user to a group, execute the “Get-MgGroupMember” cmdlet with the group id and user id as demonstrated below.

New-MgGroupMember -GroupId <GroupObjectID> -DirectoryObjectId <UserID>

6. Add Bulk Users to a Group Using Graph PowerShell

To add bulk users to a group, first, create a CSV file with the user IDs. After the CSV file creation, just execute the forthcoming cmdlet with the file location and group object id.

Import-Csv <FileLocation> | Foreach {New-MgGroupMember -GroupId <GroupObjectID> -DirectoryObjectId $_.UserID}

Sample input file:

Add Multiple Users to a Group -Manage group in Microsoft 365

7. Add a User to Bulk Groups Using PowerShell

To add a user to multiple groups, first, create a CSV file with the list of group ids. Thereafter, execute the forthcoming cmdlet.

Import-Csv <FileLocation> | Foreach {New-MgGroupMember -GroupId $_.GroupObjectID -DirectoryObjectId <UserID>} 

Replace <FileLocation> with the CSV file location and <UserID> with the appropriate user id who needs to be added to the groups.

Sample input file:

Add a User to Bulk Groups Using PowerShell - Manage Groups in Microsoft 365

8. Add an Owner to a Group in Azure AD Using MS Graph PowerShell

In Graph PowerShell, you can use the “New-MgGroupOwner” cmdlet to add an owner to a group.

New-MgGroupOwner -GroupId <GroupObjectID> -DirectoryObjectId <Owner’sUserID>

Here, replace the <GroupObjectID> with the appropriate group id and <Owner’sUserID> with the user’s id who needs to be added as an owner.


9. Remove a User from a Group in Microsoft 365 Using MS Graph

The execution of the below cmdlet removes a user from a group in Microsoft 365.

Remove-MgGroupMemberByRef -GroupId <GroupObjectID> -DirectoryObjectId <UserID> 

Replace the group object id and user id with the cmdlet.

Note: This cmdlet only has the ability to remove the members from the group. It doesn’t remove the owners from the Entra ID groups.

10. Remove Multiple Users from a Group Using CSV Input

To remove bulk users from an Azure AD (EntraID) group, first, create a CSV file with a list of User IDs. Thereafter, execute the ‘Remove-MgGroupMemberByRef cmdlet as demonstrated below.

Import-Csv <FileLocation> | Foreach {Remove-MgGroupMemberByRef -GroupId <GroupObjectID> -DirectoryObjectId $_.UserID} 

Here, replace <FileLocation> with the CSV file location and <GroupObjectID> with the appropriate group ID, from which the users need to be removed.

Sample input file:

Remove Multiple Users from a Group -CSV Input

11. Remove a User from Bulk Groups Using MS Graph

To remove a user from multiple groups, first, create a CSV file with the list of group object IDs. Thereafter, execute the forthcoming cmdlet.

Import-Csv <FileLocation> | Foreach {Remove-MgGroupMemberByRef -GroupId $_.GroupObjectID -DirectoryObjectId <UserID>} 

Replace <FileLocation> with the CSV file location and <UserID> with the appropriate user id that needs to be removed from multiple groups.

Sample input file:

Remove Users from Bulk Groups - CSV

12. Remove an Owner from a Group Using Graph PowerShell Cmdlet

You can use the “Remove-MgGroupOwnerByRef” cmdlet to remove an owner from a group.

Remove-MgGroupOwnerByRef -GroupId <GroupObjectID> -DirectoryObjectId <Owner’sUserID> 

Replace the group object id and user id of an owner in the above cmdlet.

Note: Please note that this cmdlet is specifically designed for removing group owners and it can’t be used to remove members from the group.

13. Create a Dynamic Group in Azure AD Using Microsoft Graph

You can create dynamic groups in Entra ID using the Graph PowerShell cmdlet ‘New-MgGroup’, with the ‘MembershipRule’ and ‘MembershipRuleProcessingState’ parameters.

$params = @{
    DisplayName = <GroupName>
    Description = <GroupDescription>
    MailNickname = <MailName>
    MailEnabled = <$trueOr$false>
    SecurityEnabled = <$trueOr$false>
    GroupTypes = @("DynamicMembership")
    MembershipRule = <MemberShipRule>
    MembershipRuleProcessingState = "on"
}
New-MgGroup -BodyParameter $params

Create dynamic membership group using Graph PowerShell

In the above cmdlet, a dynamic group is created by adding users from the ‘R&D’ department.

14. Update Group Properties Using Graph PowerShell

You can modify Azure AD group attributes by employing the “Update-MgGroup” cmdlet, specifying the desired values for the updates.

$params = @{ 
    DisplayName = <NewGroupName>
    Description = <NewGroupDescription>
    MailNickname = <NewMailName>
}
Update-MgGroup -GroupId <GroupObjectID> -BodyParameter $params 

When you execute the above cmdlet, it seamlessly updates the display name, description, and mail nickname of the group with the newly provided values. If desired, you can also update your group profile photo using the “Set-MgGroupPhotoContent” cmdlet in MS Graph PowerShell.

15. Assign Licenses to Azure AD Groups Using PowerShell

Microsoft’s group-based licensing enables you to allocate license subscriptions to Azure AD groups. Assigning licenses directly to a group saves administrators time by eliminating the need to individually apply licenses to each user.

Before assigning a license to the group, it is crucial to know the appropriate ‘SkuId’, as it is required for the license assignment through PowerShell. To find the ‘SkuId’ for a specific license, you can execute the following cmdlet:

Get-MgSubscribedSku –All

Then, you can assign a license to a group in Microsoft 365, using the “Set-MgGroupLicense” cmdlet as demonstrated below.

Set-MgGroupLicense -GroupId <GroupObjectID> -AddLicenses @{SkuId= <SkuId>} -RemoveLicenses @() 

16. Remove Groups in Microsoft 365 using PowerShell Cmdlet

To delete a group in Microsoft 365, you can use the “Remove-MgGroup” cmdlet.

Remove-MgGroup -GroupId <GroupId>

Note: If you wish to automatically delete specific groups within a designated time frame in Microsoft 365, you can consider configuring the group expiration policy.

Closing Lines

By mastering these PowerShell cmdlets and exploring more advanced options, you’ll be better equipped to manage groups in Microsoft 365 effectively. For any further assistance, please feel free to leave your comments and queries. Stay tuned for more insights and practical guidance on Microsoft 365 administration.

Manage Groups in Microsoft 365 with Microsoft Graph PowerShell Cmdlets

by Thiraviam time to read: 7 min
0