You can use graphical management tools such as Azure Portal or the Microsoft 365 Admin Center to manage groups in Azure. In this article, we’ll show how to create, edit, update, and delete groups in Azure AD or Microsoft 365 using PowerShell.
The first thing to note is that there are several types of groups in Azure (M365):
- Azure AD security groups are used to manage access to Azure apps and resources. You can allow access to an Azure app, assign policies or Azure licenses (group-based licensing) to the security groups.
- Microsoft 365 groups (earlier called Office 365 groups) are used as a universal means to access different Microsoft 365 products (Teams, Yammer, PowerBI, SharePoint, and a shared Outlook mailbox). In general, M365 is a shared working area for team members. When adding a user to an M365 group, they can access all content posted since the group has been created. Users in such a group can share files, documents, mailing lists, calendars, etc;
- Distribution groups are used for distributing messages to a group of recipients or sending mass email;
- Mail-enabled security groups are used both to grant access to resources and to send mailouts.
You can add users to Azure AD or Microsoft 365 group manually (assigned membership) or dynamically (added automatically based on user/device attributes).
How to Create Azure AD Security Group Using PowerShell?
Azure AD security groups can be created manually or synced from the on-prem Active Directory. Let’s see how to create Azure AD security groups and add users to them using PowerShell.
Connect to your Azure tenant using the Azure AD PowerShell module:
Connect-AzureAD
To create a new Azure security group, run the command below:
New-AzureADGroup –DisplayName grVMadmins -SecurityEnabled $true -Description "CORP VM admins" -MailEnabled $false -MailNickName "NotSet"
To get information about a group, run the command:
Get-AzureADGroup -SearchString grVMadmins
To add a user to an Azure AD group, use the Add-AzureADGroupMember cmdlet.
Get a user and group ID:
$GroupObj = Get-AzureADGroup -SearchString grVMadmins
$UserObj = Get-AzureADUser -SearchString AlexW@woshub.com
Then add the user ID to the group:
Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId
List the members of a group:
$GroupObj = Get-AzureADGroup -SearchString grVMadmins
Get-AzureADGroupMember -ObjectId $GroupObj.ObjectId| select DisplayName,UserPrincipalName,UserType
You can assign an Azure group owner using Add-AzureADGroupOwner.
Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId
To display a group owner:
$GroupObj = Get-AzureADGroup -SearchString grVMadmins
Get-AzureADGroupOwner -ObjectId $GroupObj.ObjectId
To list all groups synced from an on-prem Active Directory via Azure AD Connect (the LastDirSyncTime attribute shows the date of the last synchronization).
Get-AzureADGroup -Filter 'DirSyncEnabled eq true' | select ObjectId,DisplayName,LastDirSyncTime
Managing Microsoft 365 Groups Using PowerShell
Microsoft 365 groups are created automatically using M365 apps (Teams, Share Point, Outlook, Yammer, etc.). By default, any tenant user can create a Microsoft 365 group. When a user creates a new group in Outlook or any other app, it is a Microsoft 365 group that is created. Microsoft 365 groups are available in all M365 services.
The group appears in the list of groups in the Azure Portal and in Microsoft 365 Admin Center right away.
To create Microsoft 365 groups, you can use the New-UnifiedGroup cmdlet from the Exchange Online for PowerShell (EXOv2) module.
Connect to your tenant:
Connect-ExchangeOnline
In order to create a new M365 group, run this command:
New-UnifiedGroup -DisplayName "HQ IT Department" -Alias "it-dept" -EmailAddresses it-dept@woshub.com -AccessType Private
M365 has two types of groups:
- Public – an open group. Any user can join the group and access its contents;
- Private – only group members have access. The owner of the group or an Azure admin can add a user to a private group.
To add users or owners to the group, use the Add-UnifiedGroupLinks cmdlet. Let’s add a user to the group and assign it as the owner:
Add-UnifiedGroupLinks –Identity it-dept –LinkType Members –Links DiegoF
Add-UnifiedGroupLinks –Identity it-dept –LinkType Owners –Links DiegoF
You can add a subscriber to the group. A subscriber will receive email notifications:Add-UnifiedGroupLinks –Identity it-dept –LinkType Subscribers –Links AlexW
If you want to add multiple users to a Microsoft 365 group at once, you can import a list of users from a CSV file:
Import-CSV "C:\PS\Data\add_m365_members.csv" | ForEach-Object {
Add-UnifiedGroupLinks –Identity it-dept –LinkType Members –Links $_.member
}
To display all users in a group:
Get-UnifiedGroupLinks –Identity it-dept –LinkType Members
To show group owners:
Get-UnifiedGroupLinks –Identity it-dept –LinkType Owners
You can hide the M365 group from the Global Address List (GAL):
Set-UnifiedGroup -Identity it-dept -HiddenFromAddressListsEnabled $true
Create and Manage Dynamic Groups with Azure AD PowerShell
You can create a dynamic group of users or devices in Azure AD. The members are added to the group dynamically based on Azure user attributes. Dynamic membership is supported for both Azure security and Microsoft 365 groups. To create dynamic groups, use the New-AzureADMSGroup cmdlet from AzureAD module.
For example, you can create a dynamic group that includes all users from Munich (user.city -eq "Munich") with the specific job position (user.jobTitle -like "*Engineer*"). Let’s create a dynamic Azure security group for this example:
New-AzureADMSGroup -Description "mun_engineers" -DisplayName "All Munich IT dept engineers (dynamic)" -MailEnabled $false -SecurityEnabled $true -MailNickname mun_engineers -GroupTypes "DynamicMembership" -MembershipRule "(user.city -eq ""Munich"" -and user.jobTitle -contains ""Engineer"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup : A parameter cannot be found that matches parameter name 'MembershipRule'.
To create a dynamic group in Azure, you have to use the AzureADPreview module:Import-Module AzureADPreview
get-command New-AzureADMSGroup
To create a dynamic Microsoft 365 group, specify Unified as a group type:
New-AzureADMSGroup -DisplayName "M365 Admins" -Description "Dynamic Microsoft 365 Group for tenant admins" -MailEnabled $True -SecurityEnabled $True -MailNickname M365GAdmins -GroupTypes "DynamicMembership", "Unified" -MembershipRule "(User.department -eq ""IT"")" -MembershipRuleProcessingState "On"
Membership in the Azure dynamic groups in an organization is updated when any user or device properties are changed. If you make bulk changes to AD, import many users, or change group/user architecture, it is recommended to suspend automatic update of dynamic groups for some time:
$dynGroupObj = Get-AzureADMSGroup -SearchString “All Munich IT dept engineers (dynamic)”
Set-AzureADMSGroup -Id $dynGroupObj.id -MembershipRuleProcessingState "Paused"
To enable rule processing for a dynamic group, run the command below:
Set-AzureADMSGroup -Id $dynGroupObj.id -MembershipRuleProcessingState "On"
The table below shows user attributes you can use to build queries for Azure dynamic groups.
| Type | Attribute | Example |
| Bool | accountEnabled | user.accountEnabled -eq true |
| Bool | dirSyncEnabled | user.dirSyncEnabled -eq true |
| String | city | (user.city -eq "value") |
| String | country | (user.country -eq “value”) |
| String | companyName | (user.companyName -eq “value”) |
| String | department | (user.department -eq “value”) |
| String | displayName | (user.displayName -eq “value”) |
| String | employeeId | (user.employeeId -eq “value”) |
| String | facsimileTelephoneNumber | (user.facsimileTelephoneNumber -eq “value”) |
| String | givenName | (user.givenName -eq “value”) |
| String | jobTitle | (user.jobTitle -eq “value”) |
| String | (user.mail -eq “value”) | |
| String | mailNickName | (user.mailNickName -eq “value”) |
| String | mobile | (user.mobile -eq “value”) |
| String | objectId | (user.objectId -eq “value”) |
| String | onPremisesSecurityIdentifier | (user.onPremisesSecurityIdentifier -eq “value”) |
| String | passwordPolicies | (user.passwordPolicies -eq “DisableStrongPassword”) |
| String | physicalDeliveryOfficeName | (user.physicalDeliveryOfficeName -eq “value”) |
| String | postalCode | (user.postalCode -eq “value”) |
| String | preferredLanguage | (user.preferredLanguage -eq “de-DE”) |
| String | sipProxyAddress | user.sipProxyAddress -eq “value” |
| String | state | (user.state -eq “value”) |
| String | streetAddress | user.streetAddress -eq “value” |
| String | surname | user.surname -eq “value” |
| String | telephoneNumber | (user.telephoneNumber -eq “value”) |
| String | usageLocation | (user.usageLocation -eq “US”) |
| String | userPrincipalName | (user.userPrincipalName -eq “user@contoso.com”) |
| String | userType | (user.userType -eq “Member”) |
| String collection | otherMails | (user.otherMails -contains “user@contoso.com”) |
| String collection | proxyAddresses | (user.proxyAddresses -contains “SMTP: alias@contoso.com”) |
If you want to create dynamic security groups in AD, you can use PowerShell automation scripts (see an example). Learn more about group management in an on-prem Active Directory using PowerShell.