Manage groups

Article
09/18/2024

In this tutorial, you learn how to create, edit, update, and delete a group in Microsoft Entra PowerShell. You also learn how to add and remove users from a group.

Prerequisites

A Microsoft Entra user account. If you don't already have one, you can create an account for free.
Install the latest Microsoft Entra PowerShell module. For more information, see Install the Microsoft Entra PowerShell module.
Have at least the Groups Administrator role.

Create groups

To create a group, make sure you have the required permissions to create a group.

Connect-Entra -Scopes 'Group.ReadWrite.All'

To create a new group, run the following command.

$groupParams = @{
    DisplayName = 'My new group'
    MailEnabled = $false
    SecurityEnabled = $true
    MailNickName = 'NotSet'
}
New-EntraGroup @groupParams

DisplayName  Id                                   MailNickname Description GroupTypes
-----------  --                                   ------------ ----------- ----------
My new group aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb NotSet                   {}

This command creates a new group with the name My new group.

Search for the created group by using the following command.

Get-EntraGroup -Filter "DisplayName eq 'My new group'"

DisplayName        Id                                   MailNickname     Description        GroupTypes
-----------        --                                   ------------     -----------        ----------
My new group       aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb NotSet       My new group        {Unified}

This command returns the details of the newly created group. You can also use the ObjectId (GUID) to search, update, or delete the group.

Update groups

Update the group description by running the following command. The ObjectId is the Group ID.

$group = Get-EntraGroup -Filter "DisplayName eq 'My new group'"
$groupParams = @{
    ObjectId = $group.ObjectId
    Description = 'This is my new updated group details'
}
Set-EntraGroup @groupParams

To confirm the updated description, run the Get-EntraGroup again.

Get-EntraGroup -Filter "DisplayName eq 'My new group'"

Add a user to a group

Add a user to the group by running the following command. The ObjectId is the Group ID and the RefObjectId is the User ID. You can get the User ID from the Microsoft Entra admin center or by running the Get-EntraUser command.

$group = Get-EntraGroup -Filter "DisplayName eq 'My new group'"
$user = Get-EntraUser -ObjectId 'SawyerM@contoso.com'
$memberParams = @{
    ObjectId = $group.ObjectId
    RefObjectId = $user.ObjectId
}
Add-EntraGroupMember @memberParams

Add a user as a group owner

Add a group owner to a group by running the following command. The ObjectId is the Group ID and the RefObjectId is the User ID.

$group = Get-EntraGroup -Filter "DisplayName eq 'My new group'"
$owner = Get-EntraUser -ObjectId 'AdeleV@contoso.com'
$ownerParams = @{
    ObjectId = $group.ObjectId
    RefObjectId = $owner.ObjectId
}
Add-EntraGroupOwner @ownerParams

To confirm the updated group owner, run the Get-EntraGroupOwner command. This command returns the User ID of one or more group owners.

$group = Get-EntraGroup -Filter "DisplayName eq 'My new group'"
Get-EntraGroupOwner -ObjectId $group.ObjectId

Id                                   DeletedDateTime
--                                   ---------------
aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
eeeeeeee-4444-5555-6666-ffffffffffff

Query ownerless or empty groups

To query groups without owners, run the following command.

$allGroups = Get-EntraGroup -All
$groupsWithoutOwners = foreach ($group in $allGroups) {
    $owners = Get-EntraGroupOwner -ObjectId $group.Id
    if ($owners.Count -eq 0) {
        $group
    }
}
$groupsWithoutOwners | Format-Table DisplayName, Id, GroupTypes

DisplayName           Id                                   GroupTypes
-----------           --                                   ----------
My new group          aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb {}
HelpDesk admin group  eeeeeeee-4444-5555-6666-ffffffffffff {}

To query groups without members (empty groups), run the following command.

$allGroups = Get-EntraGroup -All
$groupsWithoutMembers = foreach ($group in $allGroups) {
    $members = Get-EntraGroupMember -ObjectId $group.Id
    if ($members.Count -eq 0) {
        $group
    }
}
$groupsWithoutMembers | Format-Table DisplayName, Id, GroupTypes

DisplayName           Id                                   GroupTypes
-----------           --                                   ----------
My new group          aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb {}
HelpDesk admin group  eeeeeeee-4444-5555-6666-ffffffffffff {}

Clean up resources

To remove the group, run the following command.

$group = Get-EntraGroup -Filter "DisplayName eq 'My new group'"
Remove-EntraGroup -ObjectId $group.ObjectId

Share via

Manage groups

Prerequisites

Create groups

Update groups

Add a user to a group

Add a user as a group owner

Query ownerless or empty groups

Clean up resources

Feedback

Additional resources

Share via

Manage groups

Prerequisites

Create groups

Update groups

Add a user to a group

Add a user as a group owner

Query ownerless or empty groups

Clean up resources

Related content

Feedback

Additional resources