M365Corner

Get-MgUserOwnedObject: Retrieve Objects Owned by a User Using Graph PowerShell

The Get-MgUserOwnedObject cmdlet in Microsoft Graph PowerShell allows administrators to retrieve directory objects that a specific user owns. This can include groups, applications, and other directory-based entities. This cmdlet is particularly useful for auditing user ownerships within an organization’s Microsoft 365 tenant.

Cmdlet Syntax

Get-MgUserOwnedObject [-UserId ] [-DirectoryObjectId ]

Parameters:

  • -UserId: Specifies the user whose owned objects you want to retrieve. Can be the user's ID or UPN (e.g., user@example.com).
  • -DirectoryObjectId: Filters results to a specific directory object ID.
  • -All: Retrieves all records without pagination.

Usage Examples

1. Retrieve All Owned Objects (Without Specifying a User ID)

Get-MgUserOwnedObject

This command retrieves the owned objects for the authenticated user running the command.

2. Retrieve Owned Objects for a Specific User

Get-MgUserOwnedObject -UserId jackie@7xh7fj.onmicrosoft.com

This command returns all directory objects owned by the specified user.

3. Retrieve a Specific Owned Object by Directory Object ID

Get-MgUserOwnedObject -UserId jackie@7xh7fj.onmicrosoft.com -DirectoryObjectId a63b372a-0445-4854-9d09-c63ca04539c8

This command filters the results to return only the specific object identified by its DirectoryObjectId.

Cmdlet Tips

  • If you want to retrieve all owned objects for multiple users, you can loop through user accounts: 
    • $users = Get-MgUser -All
foreach ($user in $users) {
Get-MgUserOwnedObject -UserId $user.Id
}
  • Use the -Property parameter to return specific properties and reduce unnecessary data retrieval.
  • The -Filter parameter can help refine the results if you're looking for a specific object type.

Use Cases

  • Auditing User Ownership: Identify all objects (groups, apps, etc.) owned by a specific user for security reviews.
  • Cleanup Operations: Find and remove orphaned objects when a user leaves the organization.
  • Delegation & Ownership Transfers: Check ownership before transferring responsibility to another user.
  • Security & Compliance: Ensure users do not own unauthorized applications or groups.

Possible Errors and Solutions

Error: User Not Found

Cause: The provided UserId is incorrect or does not exist. Solution: Verify the user exists using:

Error: Empty Results

Cause: The user does not own any directory objects. Solution: Verify the ownership manually in the Azure portal or check for incorrect filters.

FAQs

  1. What types of objects can this cmdlet return?

    2. This cmdlet can return groups, applications, and other directory-based objects owned by a user.

  2. Can I use this cmdlet to check ownership across multiple users?

    3. Yes, you can loop through multiple users using Get-MgUser -All and pass each user’s ID to Get-MgUserOwnedObject.

  3. Do I need administrative privileges to run this cmdlet?

    4. Yes, the Directory.Read.All or Directory.ReadWrite.All permission is required to retrieve user-owned objects.

  4. How do I get only group objects owned by a user?

    5. You can use the -Filter parameter to limit the results to groups:

    Get-MgUserOwnedObject -UserId user@example.com -Filter "objectType eq 'Group'"

Conclusion

The Get-MgUserOwnedObject cmdlet is a valuable tool for Microsoft 365 administrators, allowing them to identify and manage objects owned by users. Whether for security audits, ownership transfers, or cleanups, this cmdlet provides flexibility in querying directory objects efficiently. By understanding its syntax, usage examples, and troubleshooting common errors, administrators can leverage this cmdlet to maintain a secure and well-organized tenant.


Table of Contents

X

Table of Contents

© m365corner.com. All Rights Reserved. Design by HTML Codex