Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Azure / Manage Groups in Azure AD and Microsoft 365 Using PowerShell

July 15, 2022 AzureMicrosoft 365PowerShell

Manage Groups in Azure AD and Microsoft 365 Using PowerShell

You can use graphical management tools such as Azure Portal or the Microsoft 365 Admin Center to manage groups in Azure. In this article, we’ll show how to create, edit, update, and delete groups in Azure AD or Microsoft 365 using PowerShell.

Contents:
  • How to Create Azure AD Security Group Using PowerShell?
  • Managing Microsoft 365 Groups Using PowerShell
  • Create and Manage Dynamic Groups with Azure AD PowerShell

The first thing to note is that there are several types of groups in Azure (M365):

  • Azure AD security groups are used to manage access to Azure apps and resources. You can allow access to an Azure app, assign policies or Azure licenses (group-based licensing) to the security groups.
  • Microsoft 365 groups (earlier called Office 365 groups) are used as a universal means to access different Microsoft 365 products (Teams, Yammer, PowerBI, SharePoint, and a shared Outlook mailbox). In general, M365 is a shared working area for team members. When adding a user to an M365 group, they can access all content posted since the group has been created. Users in such a group can share files, documents, mailing lists, calendars, etc;
  • Distribution groups are used for distributing messages to a group of recipients or sending mass email;
  • Mail-enabled security groups are used both to grant access to resources and to send mailouts.

You can add users to Azure AD or Microsoft 365 group manually (assigned membership) or dynamically (added automatically based on user/device attributes).

How to Create Azure AD Security Group Using PowerShell?

Azure AD security groups can be created manually or synced from the on-prem Active Directory. Let’s see how to create Azure AD security groups and add users to them using PowerShell.

Connect to your Azure tenant using the Azure AD PowerShell module:

Connect-AzureAD

To create a new Azure security group, run the command below:

New-AzureADGroup –DisplayName grVMadmins -SecurityEnabled $true -Description "CORP VM admins" -MailEnabled $false -MailNickName "NotSet"

New-AzureADGroup: Create security group and add members in Azure Active Directory via PowerShell

Using the Microsoft Graph API, you can get the creation date of a group in Azure AD.

To get information about a group, run the command:

Get-AzureADGroup -SearchString grVMadmins

To add a user to an Azure AD group, use the Add-AzureADGroupMember cmdlet.

Get a user and group ID:

$GroupObj = Get-AzureADGroup -SearchString grVMadmins
$UserObj = Get-AzureADUser -SearchString AlexW@woshub.com

Then add the user ID to the group:

Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId

List the members of a group:

$GroupObj = Get-AzureADGroup -SearchString grVMadmins
Get-AzureADGroupMember -ObjectId $GroupObj.ObjectId| select DisplayName,UserPrincipalName,UserType

Get-AzureADGroupMember - Get members of an Azure AD group using PowerShell

You can assign an Azure group owner using Add-AzureADGroupOwner.

Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId

To display a group owner:

$GroupObj = Get-AzureADGroup -SearchString grVMadmins
Get-AzureADGroupOwner -ObjectId $GroupObj.ObjectId

To list all groups synced from an on-prem Active Directory via Azure AD Connect (the LastDirSyncTime attribute shows the date of the last synchronization).

Get-AzureADGroup -Filter 'DirSyncEnabled eq true' | select ObjectId,DisplayName,LastDirSyncTime

Managing Microsoft 365 Groups Using PowerShell

Microsoft 365 groups are created automatically using M365 apps (Teams, Share Point, Outlook, Yammer, etc.). By default, any tenant user can create a Microsoft 365 group. When a user creates a new group in Outlook or any other app, it is a Microsoft 365 group that is created. Microsoft 365 groups are available in all M365 services.

create new universal group in azure / microsoft 365

The group appears in the list of groups in the Azure Portal and in Microsoft 365 Admin Center right away.

list of microsoft 365 groups in azure

To create Microsoft 365 groups, you can use the New-UnifiedGroup cmdlet from the Exchange Online for PowerShell (EXOv2) module.

Connect to your tenant:

Connect-ExchangeOnline

In order to create a new M365 group, run this command:

New-UnifiedGroup -DisplayName "HQ IT Department" -Alias "it-dept" -EmailAddresses it-dept@woshub.com -AccessType Private

M365 has two types of groups:

  • Public – an open group. Any user can join the group and access its contents;
  • Private – only group members have access. The owner of the group or an Azure admin can add a user to a private group.

To add users or owners to the group, use the Add-UnifiedGroupLinks cmdlet. Let’s add a user to the group and assign it as the owner:

Add-UnifiedGroupLinks –Identity it-dept –LinkType Members –Links DiegoF
Add-UnifiedGroupLinks –Identity it-dept –LinkType Owners –Links DiegoF

You can add a subscriber to the group. A subscriber will receive email notifications:
Add-UnifiedGroupLinks –Identity it-dept –LinkType Subscribers –Links AlexW

If you want to add multiple users to a Microsoft 365 group at once, you can import a list of users from a CSV file:

Import-CSV "C:\PS\Data\add_m365_members.csv" | ForEach-Object {
Add-UnifiedGroupLinks –Identity it-dept –LinkType Members –Links $_.member
}

To display all users in a group:

Get-UnifiedGroupLinks –Identity it-dept –LinkType Members

Get-UnifiedGroupLinks: list members of microsoft 365 group

To show group owners:

Get-UnifiedGroupLinks –Identity it-dept –LinkType Owners

You can hide the M365 group from the Global Address List (GAL):

Set-UnifiedGroup -Identity it-dept -HiddenFromAddressListsEnabled $true

Create and Manage Dynamic Groups with Azure AD PowerShell

You can create a dynamic group of users or devices in Azure AD. The members are added to the group dynamically based on Azure user attributes. Dynamic membership is supported for both Azure security and Microsoft 365 groups. To create dynamic groups, use the New-AzureADMSGroup cmdlet from AzureAD module.

Dynamic groups require an Azure AD Premium P1 or P2 license.

For example, you can create a dynamic group that includes all users from Munich (user.city -eq "Munich") with the specific job position (user.jobTitle -like "*Engineer*"). Let’s create a dynamic Azure security group for this example:

New-AzureADMSGroup -Description "mun_engineers" -DisplayName "All Munich IT dept engineers (dynamic)" -MailEnabled $false -SecurityEnabled $true -MailNickname mun_engineers -GroupTypes "DynamicMembership" -MembershipRule "(user.city -eq ""Munich"" -and user.jobTitle -contains ""Engineer"")" -MembershipRuleProcessingState "On"

New-AzureADMSGroup - create dynamic group in Azure AD with powershell

Unfortunately, the AzureAD module returns the following error after running the command:

New-AzureADMSGroup : A parameter cannot be found that matches parameter name 'MembershipRule'.

To create a dynamic group in Azure, you have to use the AzureADPreview module:
Import-Module AzureADPreview
get-command New-AzureADMSGroup

AzureADPreview module

To create a dynamic Microsoft 365 group, specify Unified as a group type:

New-AzureADMSGroup -DisplayName "M365 Admins" -Description "Dynamic Microsoft 365 Group for tenant admins" -MailEnabled $True -SecurityEnabled $True -MailNickname M365GAdmins -GroupTypes "DynamicMembership", "Unified" -MembershipRule "(User.department -eq ""IT"")" -MembershipRuleProcessingState "On"

Membership in the Azure dynamic groups in an organization is updated when any user or device properties are changed. If you make bulk changes to AD, import many users, or change group/user architecture, it is recommended to suspend automatic update of dynamic groups for some time:

$dynGroupObj = Get-AzureADMSGroup -SearchString “All Munich IT dept engineers (dynamic)”
Set-AzureADMSGroup -Id $dynGroupObj.id -MembershipRuleProcessingState "Paused"

To enable rule processing for a dynamic group, run the command below:

Set-AzureADMSGroup -Id $dynGroupObj.id -MembershipRuleProcessingState "On"

The table below shows user attributes you can use to build queries for Azure dynamic groups.

TypeAttributeExample
BoolaccountEnableduser.accountEnabled -eq true
BooldirSyncEnableduser.dirSyncEnabled -eq true
Stringcity(user.city -eq "value")
Stringcountry(user.country -eq “value”)
StringcompanyName(user.companyName -eq “value”)
Stringdepartment(user.department -eq “value”)
StringdisplayName(user.displayName -eq “value”)
StringemployeeId(user.employeeId -eq “value”)
StringfacsimileTelephoneNumber(user.facsimileTelephoneNumber -eq “value”)
StringgivenName(user.givenName -eq “value”)
StringjobTitle(user.jobTitle -eq “value”)
Stringmail(user.mail -eq “value”)
StringmailNickName(user.mailNickName -eq “value”)
Stringmobile(user.mobile -eq “value”)
StringobjectId(user.objectId -eq “value”)
StringonPremisesSecurityIdentifier(user.onPremisesSecurityIdentifier -eq “value”)
StringpasswordPolicies(user.passwordPolicies -eq “DisableStrongPassword”)
StringphysicalDeliveryOfficeName(user.physicalDeliveryOfficeName -eq “value”)
StringpostalCode(user.postalCode -eq “value”)
StringpreferredLanguage(user.preferredLanguage -eq “de-DE”)
StringsipProxyAddressuser.sipProxyAddress -eq “value”
Stringstate(user.state -eq “value”)
StringstreetAddressuser.streetAddress -eq “value”
Stringsurnameuser.surname -eq “value”
StringtelephoneNumber(user.telephoneNumber -eq “value”)
StringusageLocation(user.usageLocation -eq “US”)
StringuserPrincipalName(user.userPrincipalName -eq “user@contoso.com”)
StringuserType(user.userType -eq “Member”)
String collectionotherMails(user.otherMails -contains “user@contoso.com”)
String collectionproxyAddresses(user.proxyAddresses -contains “SMTP: alias@contoso.com”)
In on-prem Active Directory, you can use Exchange dynamic distribution groups only.

If you want to create dynamic security groups in AD, you can use PowerShell automation scripts (see an example). Learn more about group management in an on-prem Active Directory using PowerShell.

0 comment
0
Facebook Twitter Google + Pinterest
previous post
Windows Setup Couldn’t Create a New Partition
next post
How to Install and Configure OpenVPN Server on Windows?

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

View Success and Failed Local Logon Attempts on...

May 2, 2023

Fix: “Something Went Wrong” Error When Installing Teams

May 2, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Checking User Sign-in Logs in Azure AD (Microsoft 365)
  • Whitelist Domains and Email Addresses on Exchange Server and Microsoft 365
  • How to Reset User Password in Azure Active Directory (Microsoft 365)?
  • Enable or Disable MFA for Users in Azure/Microsoft 365
  • Enabling Modern or Basic Authentication for Microsoft 365
  • How to Hide Users and Groups from the Global Address List on Exchange/Office 365?
  • How to Connect to Azure AD Using PowerShell?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top