Azure AD group membership PowerShell

In this azure tutorial, we will discuss Azure AD group membership PowerShell. Apart from this, we will also discuss on the below topics

• Create Azure AD group PowerShell
• Retrieve the existing groups PowerShell
• Create Azure AD Groups PowerShell
• Update Azure AD Groups PowerShell
• Delete Azure AD Groups PowerShell
• Azure AD add user to the group PowerShell
• PowerShell command to get azure ad group members
• PowerShell command to remove azure ad group members
• Azure AD dynamic groups PowerShell
• Group types in Azure AD
• Azure AD group policy PowerShell
• Create AD group settings at the directory level using PowerShell
• Update AD group settings at the directory level using PowerShell
• Read group settings at the directory level using PowerShell
• Remove group settings at the directory level using PowerShell
• Create AD group settings for a specific group using PowerShell
• Update AD group settings for a specific group using PowerShell
• Azure AD group owner PowerShell
• How to adds an owner to an AzureAD group using PowerShell
• How to get an owner details of an AzureAD group using PowerShell.

Azure AD group membership PowerShell

We can use Get-AzureADGroupMember to retrieve a member from the active directory group using PowerShell.

Syntax:

Get-AzureADGroupMember
   -ObjectId <String>
   [-All <Boolean>]
   [-Top <Int32>]
   [<CommonParameters>]

Parameters

-All

If the value is true, return all group members. If the value is false, return the number of objects

-ObjectId

It specifies the ID of a group in Azure AD to which the user belongs to.

-Top

It shows the maximum number of records to return.

You can use the command like below to get the member details from the group in Azure active directory.

PS C:\windows\system32> Get-AzureADGroupMember

Once you will execute the above command, it will ask to enter the ObjectID (The ID of the AD group to which the user belongs to)

Now enter the ObjectId then run and the output will be

ObjectId                             DisplayName UserPrincipalName                 UserType
--------                             ----------- -----------------                 --------
ee09bfcd-36e9-47c2-a98c-cf19412540e6 Bks Sahoo   bks@SPSkyTraining.onmicrosoft.com Member 

Or else you can also use the command in the below format.

PS C:\windows\system32> Get-AzureADGroupMember -ObjectId "23359f6d-850e-47e3-96b3-6ccae2ecb7bd"

You can mention the ObjectId with the Get-AzureADGroupMember command inline.

Output will be

ObjectId                             DisplayName UserPrincipalName                 UserType
--------                             ----------- -----------------                 --------
ee09bfcd-36e9-47c2-a98c-cf19412540e6 Bks Sahoo   bks@SPSkyTraining.onmicrosoft.com Member  

Note:

Before running the above commands, You need to connect to Azure using the below command

PS C:\windows\system32> Connect-AzureAD

Create Azure AD group PowerShell

Let’s see how can we create a group, Retrieve the existing groups, Update Groups, Delete groups in Azure Active Directory using PowerShell.

Connect to the Azure Account PowerShell

You must connect your PowerShell session first. Run the below command and enter your username and password.

PS C:\windows\system32> Connect-AzureAD

You can see above the session connected Successfully

Retrieve the existing groups PowerShell

You can use Get-AzureADGroups to get the list of groups present in your AD using the below command.

The syntax is

Get-AzureADGroup [-All <Boolean>] [-Top <Int32>] [-Filter <String>] [<CommonParameters>]

or

Get-AzureADGroup [-SearchString <String>] [-All <Boolean>] [<CommonParameters>]

or

Get-AzureADGroup -ObjectId <String> [-All <Boolean>] [<CommonParameters>]

PS C:\windows\system32> get-azureadgroup

For specific group,You can use the -objectID parameter to retrieve

PS C:\Windows\system32> get-azureadgroup -ObjectId 219b773f-bc3b-4aef-b320-024a2eec0b5b

Output will be

ObjectId                             DisplayName  Description                   
--------                             -----------  -----------                   
219b773f-bc3b-4aef-b320-024a2eec0b5b TSInfo Users This group is for TSInfo Users

ObjectId 219b773f-bc3b-4aef-b320-024a2eec0b5b is the objectID for a specific group. In my case, it is TSInfo Users group.

Create Azure AD Groups PowerShell

You can create a group in your AD using the New-AzureADGroup command.

The syntax is

New-AzureADGroup [-InformationAction <ActionPreference>] [-InformationVariable <String>] [-Description <String>] -DisplayName <String> -MailEnabled <Boolean> -MailNickName <String> -SecurityEnabled <Boolean> [<CommonParameters>]

Parameters:

• -Description: We can use this parameter to set the description of the AD group.
• -DisplayName: We can set the display name for the group.
• -InformationVariable: It sets the information variable
• -MailEnabled: It shows whether mail is enabled or not
• -MailNickName: It set’s the mail nick name
• -SecurityEnabled: It shows if the group is security enabled or not.

For example:

PS C:\Windows\system32> New-AzureADGroup -Description "TsInfoGroupNew group is for TsInfo" -DisplayName "TsInfoGroupNew" -MailEnabled $false -SecurityEnabled $true -MailNickName "TsInfoGroupNew"

The output will be

ObjectId                             DisplayName    Description                       
--------                             -----------    -----------                       
23359f6d-850e-47e3-96b3-6ccae2ecb7bd TsInfoGroupNew TsInfoGroupNew group is for TsInfo

You can see below the group created successfully.

Update Azure AD Groups PowerShell

You can update the info for the group created, Using Set-AzureADGroup command.

The syntax is

Set-AzureADGroup -ObjectId <String> [-InformationAction <ActionPreference>] [-InformationVariable <String>] [-Description <String>] [-DisplayName <String>][-MailEnabled <Boolean>][-MailNickName <String>] [-SecurityEnabled <Boolean>] [<CommonParameters>]

For example, If we want to change the description for above group created.

PS C:\Windows\system32> Set-AzureADGroup -ObjectId 219b773f-bc3b-4aef-b320-024a2eec0b5b -Description "This group is TsInfoGroupNew"

This will change the description from TsInfoGroupNew to This group is TsInfoGroupNew.

Delete Azure AD Groups PowerShell

To delete the specific group you can use the below command.

PS C:\Windows\system32> Remove-AzureADGroup -ObjectId 219b773f-bc3b-4aef-b320-024a2eec0b5b

ObjectId 219b773f-bc3b-4aef-b320-024a2eec0b5b is the objectID for a specific group.

Azure AD add user to the group PowerShell

Now our group TsInfoGroupNew is created, we can add members to the group

We can use Add-AzureADGroupMember command to add the member to the group.

The syntax is

Add-AzureADGroupMember -ObjectId <String> -RefObjectId <String>[-InformationAction <ActionPreference>]
   [-InformationVariable <String>] [<CommonParameters>]

Parameter:

• -ObjectId: Sets the ID of a group in Azure Active Directory.
• -RefObjectId: Sets the ID of the Active Directory group member

PS C:\Windows\system32> Add-AzureADGroupMember -ObjectId 23359f6d-850e-47e3-96b3-6ccae2ecb7bd -RefObjectId e09bfcd-36e9-47c2-a98c-cf19412540e6

Here, ObjectId parameter is the ObjectID of the group and the RefObjectId is the ObjectID of the user we want to add as a member.

PowerShell command to get azure ad group members

If you want to get the existing members belongs to a group you can use Get-AzureADGroupMember command.

The syntax is

Get-AzureADGroupMember -ObjectId <String> [-All <Boolean>] [-Top <Int32>] [<CommonParameters>]

 PS C:\Windows\system32> Get-AzureADGroupMember -ObjectId 219b773f-bc3b-4aef-b320-024a2eec0b5b

The output will be

ObjectId                             DisplayName UserPrincipalName                 UserType
--------                             ----------- -----------------                 --------
ee09bfcd-36e9-47c2-a98c-cf19412540e6 Bks Sahoo   bks@SPSkyTraining.onmicrosoft.com Member  

PowerShell command to remove azure ad group members

You can remove the member we previously added to the group, we can use the Remove-AzureADGroupMember.

PS C:\Windows\system32> Remove-AzureADGroupMember -ObjectId f21bae22-8ac0-780c-bc37-udae0f3da61i -MemberId ee09bfcd-36e9-47c2-a98c-cf19412540e6

Azure AD dynamic groups PowerShell

You can also create a Dynamic Group in Azure Active Directory using the below command.

PS C:\Windows\system32> New-AzureADMSGroup -DisplayName "TsInfoDynamicGroup" -Description "Dynamic group for TsInfo" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(user.department -contains ""TS"")" -MembershipRuleProcessingState "On"

Parameters

• -Description: This sets a description for the group.
• -DisplayName: This property sets a display name for the group.
• -GroupTypes: Sets that the group is a dynamic group. specify a value of DynamicMembership if you want to create a dynamic group.
• -MembershipRuleProcessingState: Sets the rule processing state.

The options are

1- “On”– It will process the group rule.

2- “Paused”– It will stop processing the group rule.

-Visibility

This property sets the visibility of the group’s content and members list. The options are

“Public” , “Private”, and “HiddenMembership”.

The default value is “Public”.

Azure AD group types

There are two types of Azure AD group.

1- Static AD group

You can consider a group as Static whose membership will not change.

You can change a dynamic group to static using PowerShell. Execute the below line of code in your PowerShell ISE or Windows PowerShell.

$mydynamicGroup = "DynamicMembership"

function ToConvertDynamicGroupToStatic
{
    Param([string]$groupId)

    
    [System.Collections.ArrayList]$mygroupTypes = (Get-AzureAdMsGroup -Id $mygroupId).GroupTypes

    if($mygroupTypes -eq $null -or !$mygroupTypes.Contains($mydynamicGroup))
    {
        throw "This group is already a static group. No changes required.";
    }


    $mygroupTypes.Remove($mydynamicGroup)

    Set-AzureAdMsGroup -Id $mygroupId -GroupTypes $mygroupTypes.ToArray() -MembershipRuleProcessingState "Paused"
}

ToConvertDynamicGroupToStatic "23359f6d-850e-47e3-96b3-6ccae2ecb7bd"

“23359f6d-850e-47e3-96b3-6ccae2ecb7bd” is the id of my AzureAD group.

Since my AD group is already a static group so it showed me “This group is already a static group. No changes required.” else it would have converted the dynamic group to a static group.

2- Dynamic AD group

You can consider a group as dynamic whose membership can change based on certain set of criteria.

You can change a static group to dynamic using PowerShell. Execute the below line of code in your PowerShell ISE or Windows PowerShell.

function ToConvertStaticGroupToDynamic
{
    Param([string]$mygroupId, [string]$mydynamicMembershipRule)

   
    [System.Collections.ArrayList]$mygroupTypes = (Get-AzureAdMsGroup -Id $mygroupId).GroupTypes

    if($mygroupTypes -ne $null -and $mygroupTypes.Contains($mydynamicGroupTypeString))
    {
        throw "This group is already a dynamic group. No changes required.";
    }
    
    $mygroupTypes.Add($mydynamicGroupTypeString)

    
    Set-AzureAdMsGroup -Id $mygroupId -GroupTypes $mygroupTypes.ToArray() -MembershipRuleProcessingState "On" -MembershipRule $mydynamicMembershipRule

}

ToConvertStaticGroupToDynamic "23359f6d-850e-47e3-96b3-6ccae2ecb7bd"

Azure AD group policy PowerShell

You can use Azure Active Directory (Azure AD) PowerShell cmdlets to create and update group settings.

This is applicable for the Office 365 groups.

• You can configure Office 365 Groups settings using a Settings object and a SettingsTemplate object. 
• You can use “Group. Unified” template to configure Office 365 group settings for your Active Directory.
• You can also use “Group.Unified.Guest” to configure Office 365 group settings for a single group.

Create AD group settings at the directory level using PowerShell

You can use the below steps to to create and update the Active Directory group settings.

Step-1:

You can execute the below cmdlet using Windows PowerShell or PowerShell ISE to get the list of all settings templates.

PS C:\windows\system32> Get-AzureADDirectorySettingTemplate

Step-2:

You can add a usage guideline URL, Use the below cmdlet

$MyNewTemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq "Group.Unified" }).Id
$MyNewTemplate = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $MyNewTemplateId -EQ

Step-3:

Now you need to create a new settings object based on the template we have created.

$MyADSetting = $MyNewTemplate.CreateDirectorySetting()

Step-4:

Then you can update the usage guideline value url

$MyADSetting["UsageGuidelinesUrl"] = "https://enjoysharepoint.com"

Step-5:

Now you can apply the settings using the below cmdlet.

New-AzureADDirectorySetting -DirectorySetting $MyADSetting

Update AD group settings at the directory level using PowerShell

You can also update the AD group settings at the directory level using PowerShell

You can follow the below steps

Step-1:

You can get the current settings from the Group.Unified Settings Template

$MyADSetting = Get-AzureADDirectorySetting | ? { $_.DisplayName -eq "Group.Unified"}

Step-2:

You can check the current settings using the below cmdlet in your PowerShell window or PowerShell ISE.

$MyADSetting.Values

Step-3:

You can update the value of UsageGuideLinesUrl

$MyADSetting["UsageGuidelinesUrl"] = "https://sharepointsky.com"

Step-4:

Now you can save the changes using the below PowerShell cmdlet.

Set-AzureADDirectorySetting -Id $MyADSetting.Id -DirectorySetting $MyADSetting

Read group settings at the directory level using PowerShell

We can use the below cmdlet to retrieve the current group settings value using PowerShell.

Get-AzureADDirectorySetting -All $True

If you want to read all settings for a specific group then use the below command in your PowerShell window or PowerShell ISE.

Get-AzureADObjectSetting -TargetObjectId ce6n4789-446j-8er6-8ga5-du6b1y53c809 -TargetType Groups

Remove group settings at the directory level using PowerShell

You can execute the below cmdlet to remove the group settings at the directory level using PowerShell

Remove-AzureADDirectorySetting –Id ce6n4789-446j-8er6-8ga5-du6b1y53c809

Create AD group settings for a specific group using PowerShell

You can create AD group settings for a specific group using PowerShell by following the below steps.

Step-1:

You can execute the below cmdlet to get the list of all settings templates. You will get all the lists. Search for the “Groups.Unified.Guest” and get the Id for that. In my case it is 07e632c8-061g-5f27-63b1-87cee671d2e8.

PS C:\windows\system32> Get-AzureADDirectorySettingTemplate

Step-2:

Get the template object for the specific template using the below PowerShell cmdlet.

$MySingleTemplate = Get-AzureADDirectorySettingTemplate | where -Property Id -Value "07e632c8-061g-5f27-63b1-87cee671d2e8" -EQ

Step-3:

Create a new copy of settings object from the existing template

$MySettingsCopy = $MySingleTemplate.CreateDirectorySetting()

Step-4:

Set the setting to the required value

$MySettingsCopy["AllowToAddGuests"]=$False

Step-5:

Get the ID of the group

$mygroupID= (Get-AzureADGroup -SearchString "TsInfo group").ObjectId

TsInfo group is my group name

Step-6:

Now you can create the new setting for the specific group

New-AzureADObjectSetting -TargetType Groups -TargetObjectId $mygroupID -DirectorySetting $MySettingsCopy

Update AD group settings for a specific group using PowerShell

Follow the below steps to update AD group settings for a specific group using PowerShell.

Step-1:

You can get the ID of the specific group using the below cmdlet.

$mygroupID= (Get-AzureADGroup -SearchString "TsInfo group").ObjectId

Step-2:

You can retrieve the settings of the specific group using the below cmdlet.

$MySettings = Get-AzureADObjectSetting -TargetObjectId $mygroupID -TargetType Groups

Step-3:

We can update the property of the group

$MySettings["AllowToAddGuests"] = $True

Step-4:

Now get the ID of the specific group using the below cmdlet.

Get-AzureADObjectSetting -TargetObjectId $mygroupID -TargetType Groups

Step-5:

Now you can save the new value.

Set-AzureADObjectSetting -TargetType Groups -TargetObjectId $mygroupID -Id 07e632c8-061g-5f27-63b1-87cee671d2e8 -DirectorySetting $MySettings

Azure AD group owner PowerShell

We can add the Owner to the Azure AD group and also can get the owner details for a specific group using PowerShell.

How to adds an owner to an AzureAD group using PowerShell

We can add the Owner to an existing Active Directory group using the below command.

The syntax is

Add-AzureADGroupOwner
   -ObjectId <String>
   -RefObjectId <String>
   [-InformationAction <ActionPreference>]
   [-InformationVariable <String>]
   [<CommonParameters>]

For example:

Add-AzureADGroupOwner -ObjectId "23359f6d-850e-47e3-96b3-6ccae2ecb7bd" -RefObjectId "ee09bfcd-36e9-47c2-a98c-cf19412540e6"

Here objectID is 23359f6d-850e-47e3-96b3-6ccae2ecb7bd which is my groupID.

RefObjectId is ee09bfcd-36e9-47c2-a98c-cf19412540e6 which is the member id to whom i want to add as a owner to my group.

How to get an owner details of an AzureAD group using PowerShell.

We have added the owner to the AzureAD group. Let’s retrieve the owner details of that AzureAD group.

We need to use the below cmdlet to get the owner details.

The syntax is

Get-AzureADGroupOwner
   -ObjectId <String>
   [-All <Boolean>]
   [-Top <Int32>]
   [<CommonParameters>]

Example:

Get-AzureADGroupOwner -ObjectId "23359f6d-850e-47e3-96b3-6ccae2ecb7bd"

Here objectID is 23359f6d-850e-47e3-96b3-6ccae2ecb7bd which is my groupID.

You may like following Azure tutorials:

• The term ‘get-azureadgroup’ is not recognized as the name of a cmdlet
• Troubleshooting specific RDP error messages in Azure
• No match was found for the specified search criteria and module name ‘AzureAD’
• How to create and add members to Azure Active Directory Group
• Azure Domain name service

Conclusion

In this Azure tutorial, We discussed

• Create Azure AD group PowerShell
• Retrieve the existing groups PowerShell
• Create Azure AD Groups PowerShell
• Update Azure AD Groups PowerShell
• Delete Azure AD Groups PowerShell
• Azure AD add user to the group PowerShell
• PowerShell command to get azure ad group members
• PowerShell command to remove azure ad group members
• Azure AD dynamic groups PowerShell
• Group types in Azure AD
• Group policy in Azure AD PowerShell
• Create AD group settings at the directory level using PowerShell
• Update AD group settings at the directory level using PowerShell
• Read group settings at the directory level using PowerShell
• Remove group settings at the directory level using PowerShell
• Create AD group settings for a specific group using PowerShell
• Update AD group settings for a specific group using PowerShell
• Azure AD group owner PowerShell
• How to adds an owner to an AzureAD group using PowerShell
• How to get an owner details of an AzureAD group using PowerShell.