Adding Multiple Cloud Users to an Azure/Office 365 Security Group

This one had me stumped for a while – how do you get a bunch of users in Office 365/Azure and then add them to a security group? This was met with the relevant tweets of frustration, such as:

After mucking around for a while, and getting Microsoft MVP David O’Brien to listen to my woes, I ended up working out a solution.

Part of my confusion was around this TechNet article for the command Add-MsolGroupMember which at the time of writing, I’m convinced is wrong. The example they give is to get a user and a group, then add the user to the group…. except, they’re used the get-msolgroup command to do so.

When I tried to switch this over to a user lookup with multiple user results, I received this error:

Add-MsolGroupMember : Cannot convert ‘System.Object[]’ to the type ‘System.Guid’ required by parameter
‘GroupObjectId’. Specified method is not supported.

Long story short, most Office 365 user/group commands I’ve come across don’t support multiple inputs, so you can’t feed a list of results through – it’s one at a time. Also, groups and users only seem to support using the Object ID of each object, so you can’t easily use names, email addresses etc. This means you’ll need to run commands to get those Object IDs based on the information you know.

To get around this, you’ll need to use the ‘foreach’ command – then it’ll go through each of your results one by one. I’ll go through this step by step:

1. Get your group:

$group = get-msolgroup | where {$_.Displayname -eq “All Office365 Users”}

Pretty self explanatory, we’re making the variable $group equal the object of the group name specified.

To check what users came back, you can just type $group

2. Get your users:

$users = get-msoluser | select userprincipalname,objectid | where {$_.userprincipalname -like “*domain.com*”}

Similar to the above, we’re making the variable $users all the users we want to add to the group, based on the User Principal Name containing “domain.com”. We’re also making sure we grab the object id of each of those users.

3. Adding the users to the group

$users | foreach {add-msolgroupmember -groupobjectid $group.objectid -groupmembertype “user” -GroupMemberObjectId $_.objectid}

This is showing the users we set earlier, then for each record, running the command ‘add-msolgroupmember’ based on the group we discovered in step 1, and the users from step2. Notice we call the Object ID for each of these objects, as the commands only support it as an identifier.

4. Check what users are in the group

get-msolgroupmember -groupobjectid $group.objectid

This will show you all the members of the group you’ve been working on.

With the above, you can use pretty much any search criteria for step 2, and add those users to your group.

Note that all the above is only for ‘In Cloud’ users, if they were on premesis and being synced to Azure AD/Office365, you’d run different commands against your on premise Active Directory environment.

2 thoughts on “Adding Multiple Cloud Users to an Azure/Office 365 Security Group

    1. Hi Kent,
      First – are they cloud only users, or sycn’d users via ADFS/Azure AD Connect? If they’re sync’d, you should be able to stop the sync and wait for them to expire, I believe they’ll delete themselves after 14 or 30 days.
      Some good info here on that https://community.spiceworks.com/topic/1608633-office-365-remove-azure-ad-connect-sync-ed-users-and-re-sync

      If they’re cloud only, or you want them instantly deleted after stopping the accounts syncing, it’s just a matter of getting the users as results, and piping that to a delete command.

      Something like:

      get-msoluser | remoove-msoluser -force

      That’ll delete EVERYONE, which is why I’ve mistyped ‘remove’ :)

      More details here:

      http://www.garethjones294.com/bulk-removing-azure-active-directory-users-and-groups-using-powershell/

Leave a Reply