Manage groups
In this tutorial, you learn how to create, edit, update, and delete a group in Microsoft Entra PowerShell. You also learn how to add and remove users from a group.
Prerequisites
- A Microsoft Entra user account. If you don't already have one, you can create an account for free.
- Install the latest Microsoft Entra PowerShell module. For more information, see Install the Microsoft Entra PowerShell module.
- Have at least the Groups Administrator role.
Create groups
To create a group, make sure you have the required permissions to create a group.
Connect-Entra -Scopes 'Group.ReadWrite.All'
To create a new group, run the following command.
$groupParams = @{
DisplayName = 'My new group'
MailEnabled = $false
SecurityEnabled = $true
MailNickName = 'NotSet'
}
New-EntraGroup @groupParams
DisplayName Id MailNickname Description GroupTypes
----------- -- ------------ ----------- ----------
My new group aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb NotSet {}
This command creates a new group with the name My new group
.
Search for the created group by using the following command.
Get-EntraGroup -Filter "DisplayName eq 'My new group'"
DisplayName Id MailNickname Description GroupTypes
----------- -- ------------ ----------- ----------
My new group aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb NotSet My new group {Unified}
This command returns the details of the newly created group. You can also use the ObjectId
(GUID) to search, update, or delete the group.
Update groups
Update the group description by running the following command. The ObjectId
is the Group ID.
$group = Get-EntraGroup -Filter "DisplayName eq 'My new group'"
$groupParams = @{
ObjectId = $group.ObjectId
Description = 'This is my new updated group details'
}
Set-EntraGroup @groupParams
To confirm the updated description, run the Get-EntraGroup again.
Get-EntraGroup -Filter "DisplayName eq 'My new group'"
Add a user to a group
Add a user to the group by running the following command. The ObjectId
is the Group ID and the RefObjectId
is the User ID. You can get the User ID from the Microsoft Entra admin center or by running the Get-EntraUser command.
$group = Get-EntraGroup -Filter "DisplayName eq 'My new group'"
$user = Get-EntraUser -ObjectId 'SawyerM@contoso.com'
$memberParams = @{
ObjectId = $group.ObjectId
RefObjectId = $user.ObjectId
}
Add-EntraGroupMember @memberParams
Add a user as a group owner
Add a group owner to a group by running the following command. The ObjectId
is the Group ID and the RefObjectId
is the User ID.
$group = Get-EntraGroup -Filter "DisplayName eq 'My new group'"
$owner = Get-EntraUser -ObjectId 'AdeleV@contoso.com'
$ownerParams = @{
ObjectId = $group.ObjectId
RefObjectId = $owner.ObjectId
}
Add-EntraGroupOwner @ownerParams
To confirm the updated group owner, run the Get-EntraGroupOwner command. This command returns the User ID of one or more group owners.
$group = Get-EntraGroup -Filter "DisplayName eq 'My new group'"
Get-EntraGroupOwner -ObjectId $group.ObjectId
Id DeletedDateTime
-- ---------------
aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
eeeeeeee-4444-5555-6666-ffffffffffff
Query ownerless or empty groups
To query groups without owners, run the following command.
$allGroups = Get-EntraGroup -All
$groupsWithoutOwners = foreach ($group in $allGroups) {
$owners = Get-EntraGroupOwner -ObjectId $group.Id
if ($owners.Count -eq 0) {
$group
}
}
$groupsWithoutOwners | Format-Table DisplayName, Id, GroupTypes
DisplayName Id GroupTypes
----------- -- ----------
My new group aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb {}
HelpDesk admin group eeeeeeee-4444-5555-6666-ffffffffffff {}
To query groups without members (empty groups), run the following command.
$allGroups = Get-EntraGroup -All
$groupsWithoutMembers = foreach ($group in $allGroups) {
$members = Get-EntraGroupMember -ObjectId $group.Id
if ($members.Count -eq 0) {
$group
}
}
$groupsWithoutMembers | Format-Table DisplayName, Id, GroupTypes
DisplayName Id GroupTypes
----------- -- ----------
My new group aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb {}
HelpDesk admin group eeeeeeee-4444-5555-6666-ffffffffffff {}
Clean up resources
To remove the group, run the following command.
$group = Get-EntraGroup -Filter "DisplayName eq 'My new group'"
Remove-EntraGroup -ObjectId $group.ObjectId