I work as a MSP and I have created a script to mainstream the creation of new user accounts in Microsoft 365 for our customers.
The customers fill in a web form to give us all the necessary information regarding username, group memberships, shared mailbox access and so forth.
The script is working great for everything except the group membership part.
The thing is that Microsoft doesn’t allow you to use a single command to add members to different kinds of groups. There are 4 different kinds of groups (Micorsoft 365 group, Distribution list, Security Group and Email Enabled Security Group) and each of them have its own command in Powershell to add members to.
In my script I list all groups in Microsoft 365 for a specific customer and the Administrator can copy/paste them to a parameter in the script:
Get-AzureADGroup | Select Displayname,Description | Sort-Object -Property DisplayName | Format-Table
$groups = read-host “Copy the groups to add the user to. Separate multiple groups with comma (,)”
$groupdata = $groups.split(“,”).trim(" ")
This gives me a list of all groups the script should add for the new user account.
I then get each line ine my $groupsdata parameter and use that to add membership
The problem is that I now need to differentiate the type of each group when I run the script to know what command to use for each row.
I have managed to do that with the following commands:
#Microsoft 365 group
$m365group = Get-AzureADGroup | Where-Object {($.DisplayName -EQ ‘$groupdata’) -and $.MailEnabled -eq $true -and ($_.SecurityEnabled -eq $false)}#Email Enabled Security Group
$emailsecuritygroup = Get-AzureADGroup | Where-Object {($.DisplayName -EQ ‘$groupdata’) -and ($.MailEnabled -eq $true) -and ($_.SecurityEnabled -eq $true)}#Regular Security Group
$securitygroup = Get-AzureADGroup | Where-Object {($.DisplayName -EQ ‘$groupdata’) -and $.MailEnabled -eq $false}
And now to the problem.
I don’t know how to separate each line in my $groupdata parameter the the commands above. If I only have 1 group in my $groupdata it works fine, but I have multiple groups I get nothing back.
I then need to use those values which turn up true to a “Add Membership” command depending on which type of group it is.
Here is the full script that has anything to do with groups as it looks right now:
Get-AzureADGroup | Select Displayname,Description | Sort-Object -Property DisplayName | Format-Table
$groups = read-host “Copy the groups to add the user to. Separate multiple groups with comma (,)”
$groupdata = $groups.split(“,”).trim(" ")$groupuser = Get-MsolUser -TenantId $cid -UserPrincipalName $UserPrincipalName
$m365group = Get-AzureADGroup | Where-Object {($.DisplayName -EQ $groupdata) -and $.MailEnabled -eq $true -and ($_.SecurityEnabled -eq $false)}
ForEach ($line in $m365group) {
$groupdataobject = Get-AzureADGroup -Filter “Displayname eq ‘$line’”
Add-AzureADGroupMember -ObjectID $groupdataobject.ObjectID -RefObjectId $groupuser.ObjectID
}$groupuser = Get-MsolUser -TenantId $cid -UserPrincipalName $UserPrincipalName
$emailsecuritygroup = Get-AzureADGroup | Where-Object {($.DisplayName -EQ ‘$line’) -and ($.MailEnabled -eq $true) -and ($_.SecurityEnabled -eq $true)}
ForEach ($line in $emailsecuritygroup) {
$groupdataobject = Get-AzureADGroup -Filter “Displayname eq ‘$line’”
Add-DistributionGroupMember -Identity $groupdataobject.DisplayName -Member $groupuser.UserPrincipalName -BypassSecurityGroupManagerCheck
}$groupuser = Get-MsolUser -TenantId $cid -UserPrincipalName $UserPrincipalName
$securitygroup = Get-AzureADGroup | Where-Object {($.DisplayName -EQ $groupdata) -and $.MailEnabled -eq $false}
ForEach ($line in $securitygroup) {
$groupdataobject = Get-MsolGroup -TenantId $cid | Where {$_.Displayname -eq $line}
Add-MsolGroupMember -TenantId $cid -GroupObjectId $groupdataobject.ObjectID -GroupMemberObjectId $groupuser.ObjectID
}