Manage Groups in Azure AD and Microsoft 365 Using PowerShell | Ranjan.info

You can use graphical management tools such as Azure Portal either Microsoft 365 Admin Center To manage clusters in Azure. In this article, we will show how to create, edit, update and delete groups in Azure AD or Microsoft 365 using PowerShell.

The first thing to note is that there are several types of groups in Azure (M365):

  • Azure AD Security Groups Used to manage access to Azure apps and resources. You can allow security groups access to Azure apps, assign policies or Azure licenses (group-based licensing).
  • Microsoft 365 Groups (formerly called Office 365 Groups) is used as a universal means to access various Microsoft 365 products (Teams, Yammer, PowerBI, SharePoint, and a shared Outlook mailbox). In general, the M365 is a shared work area for team members. When a user is added to an M365 group, they can access all content posted since the group was created. Users in such a group can share files, documents, mailing lists, calendars, etc.;
  • distribution group Used to deliver messages to a group of recipients or to send bulk emails;
  • mail-enabled security group It is used both to provide access to resources and to send mailouts.

You can add users to Azure AD or Microsoft 365 Groups manually (assigned subscription) or dynamically (added automatically based on user/device characteristics).

How to create Azure AD Security Groups using PowerShell?

Azure AD Security Groups Can be created manually or synced with on-premises Active Directory. Let’s see how to create Azure AD security groups and add users to them using PowerShell.

Connect to your Azure tenant using the Azure AD PowerShell module:

Connect-AzureAD

To create a new Azure security group, run the following command:

New-AzureADGroup –DisplayName grVMadmins -SecurityEnabled $true -Description "CORP VM admins" -MailEnabled $false -MailNickName "NotSet"

New-AzureADGroup: Create Security Groups and Add Members to Azure Active Directory via PowerShell

To get information about a group, run the command:

Get-AzureADGroup -SearchString grVMadmins

To add a user to an Azure AD group, use Add-AzureADGroupMember cmdlet.

Get a User and Group ID:

$GroupObj = Get-AzureADGroup -SearchString grVMadmins
$UserObj = Get-AzureADUser -SearchString [email protected]

Then add the user id to the group:

Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId

List group members:

$GroupObj = Get-AzureADGroup -SearchString grVMadmins
Get-AzureADGroupMember -ObjectId $GroupObj.ObjectId| select DisplayName,UserPrincipalName,UserType

Get-AzureADGroupMember - Get Azure AD group members using PowerShell

You can assign an Azure group owner by using Add-AzureADGroupOwner,

Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId

To display the group owner:

$GroupObj = Get-AzureADGroup -SearchString grVMadmins
Get-AzureADGroupOwner -ObjectId $GroupObj.ObjectId

To list all groups synced to on-premises Active Directory via Azure AD Connect (the LastDirSyncTime The attribute shows the date of the last synchronization).

Get-AzureADGroup -Filter 'DirSyncEnabled eq true' | select ObjectId,DisplayName,LastDirSyncTime

Manage Microsoft 365 Groups Using PowerShell

Microsoft 365 Groups are created automatically using M365 apps (Teams, Share Point, Outlook, Yammer, etc.). By default, any tenant user can create Microsoft 365 groups. When a user creates a new group in Outlook or any other app, it is a Microsoft 365 group that is created. Microsoft 365 Groups are available in all M365 services.

The group immediately appears in the list of groups in the Azure portal and in the Microsoft 365 admin center.

List of Microsoft 365 Groups in Azure

To create Microsoft 365 Groups, you can use newly integrated group cmdlet from Exchange Online for PowerShell (EXOv2) Module.

Connect with your tenant:

Connect-ExchangeOnline

To create a new M365 group, run this command:

New-UnifiedGroup -DisplayName "HQ IT Department" -Alias "it-dept" -EmailAddresses [email protected] -AccessType Private

There are two types of groups in M365:

  • public – Open group. Any user can join the group and access its content;
  • Personal – Only group members have access. The group owner or Azure administrator can add a user to a private group.

To add users or owners to the group, use Add-Integrated Group Links cmdlet. Let’s add a user to the group and assign it as the owner:

Add-UnifiedGroupLinks –Identity it-dept –LinkType Members –Links DiegoF
Add-UnifiedGroupLinks –Identity it-dept –LinkType Owners –Links DiegoF

You can add a customer to the group. A subscriber will receive email notifications of:
Add-UnifiedGroupLinks –Identity it-dept –LinkType Subscribers –Links AlexW

If you want to add multiple users to a Microsoft 365 group at once, you can import the list of users from a CSV file:

Import-CSV "C:\PS\Data\add_m365_members.csv" | ForEach-Object {
Add-UnifiedGroupLinks –Identity it-dept –LinkType Members –Links $_.member
}

To display all users in a group:

Get-UnifiedGroupLinks –Identity it-dept –LinkType Members

Get-UnifiedGroupLinks: List members of Microsoft 365 Groups

To show group owners:

Get-UnifiedGroupLinks –Identity it-dept –LinkType Owners

You can hide the M365 group from the Global Address List (GAL):

Set-UnifiedGroup -Identity it-dept -HiddenFromAddressListsEnabled $true

Create and Manage Dynamic Groups with Azure AD PowerShell

you can make one dynamic group Number of users or devices in Azure AD. Members are dynamically added to the group based on Azure user attributes. Dynamic subscription is supported for both Azure Security and Microsoft 365 Groups. To create dynamic groups, use New-AzureADMSGroup cmdlet from AzureAD module.

Dynamic groups require an Azure AD Premium P1 or P2 license.

For example, you can create a dynamic group that includes all users in Munich (user.city -eq "Munich") with specific job position (user.jobTitle -like "*Engineer*") Let’s create a dynamic Azure security group for this example:

New-AzureADMSGroup -Description "mun_engineers" -DisplayName "All Munich IT dept engineers (dynamic)" -MailEnabled $false -SecurityEnabled $true -MailNickname mun_engineers -GroupTypes "DynamicMembership" -MembershipRule "(user.city -eq ""Munich"" -and user.jobTitle -contains ""Engineer"")" -MembershipRuleProcessingState "On"

New-AzureADMSGroup - Create Dynamic Groups in Azure AD with PowerShell

Unfortunately, the AzureAD module gives the following error after running the command:

New-AzureADMSGroup : A parameter cannot be found that matches parameter name 'MembershipRule'.

To create a dynamic group in Azure, you have to use AzureAD Preview Modulus:
Import-Module AzureADPreview
get-command New-AzureADMSGroup

AzureAD Preview Module

To create a dynamic Microsoft 365 group, specify Integrated As a group type:

New-AzureADMSGroup -DisplayName "M365 Admins" -Description "Dynamic Microsoft 365 Group for tenant admins" -MailEnabled $True -SecurityEnabled $True -MailNickname M365GAdmins -GroupTypes "DynamicMembership", "Unified" -MembershipRule "(User.department -eq ""IT"")" -MembershipRuleProcessingState "On"

The membership of Azure Dynamic Groups in an organization is updated when the properties of any user or device are changed. If you make bulk changes to AD, import multiple users, or change the group/user structure, it is recommended to suspend the automatic updating of dynamic groups for a period of time:

$dynGroupObj = Get-AzureADMSGroup -SearchString “All Munich IT dept engineers (dynamic)”
Set-AzureADMSGroup -Id $dynGroupObj.id -MembershipRuleProcessingState "Paused"

To enable rule processing for a dynamic group, run the command below:

Set-AzureADMSGroup -Id $dynGroupObj.id -MembershipRuleProcessingState "On"

The table below shows the user attributes that you can use to build queries for Azure Dynamic Groups.

type Speciality Example
bool account enabled user.accountEnabled -eq true
bool dirSync enabled user.dirSyncEnabled -eq true
string city (user.city -eq "value")
string Country (user.country -eq “value”)
string name of the company (user.companyName -eq “value”)
string Department (user.department -eq “value”)
string display name (user.displayName -eq “value”)
string Employee ID (user.employeeId -eq “value”)
string facsimiletelephonenumber (user.facsimileTelephoneNumber -eq “value”)
string given name (user.givenName -eq “value”)
string job title (user.jobTitle -eq “value”)
string Match (user.mail -eq “value”)
string mailnickname (user.mailNickName -eq “value”)
string mobile (user.mobile -eq “value”)
string object id (user.objectId -eq “value”)
string on-premises security identifier (user.onPremisesSecurityIdentifier -eq “value”)
string Password Policies (user.passwordPolicies -eq “DisableStrongPassword”)
string Name of Physical Distribution Office (user.physicalDeliveryOfficeName -eq “value”)
string Postal Code (user.postalCode -eq “value”)
string Preferred Language (user.preferredLanguage -eq “de-DE”)
string cipproxy address user.sipProxyAddress -eq “value”
string State ,user.state -eq “value”,
string Street address user.streetAddress -eq “value”
string surname user.surname -eq “value”
string telephone number (user.telephoneNumber -eq “value”)
string use space (user.usageLocation -eq “US”)
string user principal name (user.userPrincipalName -eq “[email protected]”)
string user type (user.userType -eq “Member”)
string collection other mail (user.otherMails -contains “[email protected]”)
string collection proxy addresses (user.proxyAddresses -contains “SMTP: [email protected]”)

Leave a Comment