M365Corner

Using Get-MgGroupMember with New-MgGroupMember: Managing Group Membership in Microsoft 365

Efficient group membership management is critical for maintaining secure and productive collaboration environments in Microsoft 365. Pairing Get-MgGroupMember and New-MgGroupMember allows administrators to retrieve detailed group member information and add new members programmatically. This article explains how to use these cmdlets effectively, with updated examples, tips, and a use-cases section.

The Get-MgGroupMember cmdlet retrieves the Object IDs of users in a specified group. To obtain detailed user information, these Object IDs need to be passed to Get-MgUser. The New-MgGroupMember cmdlet lets you add new members to the group. Together, these cmdlets enable administrators to automate tasks like onboarding, auditing, and maintaining secure group memberships.

Usage Example: Retrieving and Adding Group Members

Here’s how to retrieve detailed information about group members and add a new member to the group:


# Step 1: Retrieve group members
$groupId = "1cbe8c31-589d-453a-a1e5-045f7f00c967"  # Replace with the Group ID
$groupMembers = Get-MgGroupMember -GroupId $groupId

# Initialize an array to store detailed user information
$userDetails = @()

# Loop through each group member and retrieve additional properties
foreach ($member in $groupMembers) {
    $user = Get-MgUser -UserId $member.Id -Property "id, displayName, userPrincipalName"
    $userDetails += [PSCustomObject]@{
        Id                 = $user.Id
        DisplayName        = $user.DisplayName
        UserPrincipalName  = $user.UserPrincipalName
    }
}

# Display the detailed user information
$userDetails | Select-Object Id, DisplayName, UserPrincipalName

# Step 2: Add a new member to the group
$newUserId = "98765xyz-4321-lkjh-0987-54321mnopqr"  # Replace with the new member's Object ID
try {
    New-MgGroupMember -GroupId $groupId -DirectoryObjectId $newUserId
    Write-Output "New member added successfully to the group."
} catch {
    Write-Error "Failed to add the new member: $_"
}

Cmdlet Tips

  • Retrieve Detailed Member Information: The Get-MgGroupMember cmdlet only provides basic member IDs. Use Get-MgUser with the Object IDs to fetch additional user details like displayName and userPrincipalName.
  • Handle Large Groups: For large groups, paginate results using the -Top parameter and $response.OdataNextLink to avoid performance issues: 
    $groupMembers = Get-MgGroupMember -GroupId $groupId -Top 50
while ($groupMembers.OdataNextLink) {
    $groupMembers += Invoke-MgGraphRequest -Uri $groupMembers.OdataNextLink
}
  • Avoid Duplicate Members: Check existing members using Get-MgGroupMember before adding new ones to avoid duplication.
  • Batch Member Additions: Use loops to add multiple users efficiently: 
    $newUserIds = @("id1", "id2", "id3")
foreach ($userId in $newUserIds) {
    New-MgGroupMember -GroupId $groupId -DirectoryObjectId $userId
}

Use Cases

  1. Onboarding New Employees: Automatically add new employees to the appropriate groups during their onboarding process. For example, assign users to departmental, project, or security groups based on their roles.
  2. Dynamic Group Management: Programmatically update group memberships based on specific criteria, such as department or office location, using external data sources like HR systems.
  3. Bulk Membership Updates: Add or update memberships for large groups during tenant migrations, restructuring, or organizational realignment.
  4. Collaboration and Teams Management: Update membership for Microsoft Teams associated with Office 365 groups to ensure collaboration tools remain in sync with organizational needs.

Possible Errors & Solutions

Error Message Cause Solution
Member Already Exists User is already a member of the group Check existing members using Get-MgGroupMember before adding users.
Access Denied Insufficient permissions Assign Group.ReadWrite.All and User.Read.All permissions in Azure AD.
Invalid DirectoryObjectId User does not exist or is not valid for addition Verify the user's Object ID using Get-MgUser.
Too Many Requests API throttling due to bulk operations Implement retries with delays between requests or batch updates.
Resource Not Found Incorrect or non-existent GroupId Verify the Group ID using Get-MgGroup.

Conclusion

Pairing Get-MgGroupMember and New-MgGroupMember empowers administrators to effectively manage group memberships in Microsoft 365. From onboarding new employees to maintaining compliance through audits, these cmdlets offer flexibility and precision for all group-related tasks.

By using these cmdlets to automate membership updates, administrators can save time, enhance security, and ensure seamless collaboration across the organization.

Table of Contents

X

Table of Contents

© m365corner.com. All Rights Reserved. Design by HTML Codex