Azure AD Security Groups are Security Principals which can be used to secure objects. In Microsoft 365, we can assign licenses and apply Condition Access policies to users through security groups. In this post, we will explore how to create a new security group and add bulk members from CSV using PowerShell.
Before you start, install the Azure AD PowerShell V2 module and run the below command to connect the Azure AD module.
Connect-AzureAD
Summary
- Create a new Security group
- Add Members and Owners to a Security group
- Add Bulk Members to a Security group from CSV
- Create Bulk Security Groups from CSV and Add Members
Create a new Security group
We can use the New-AzureADGroup cmdlet to create a new security group. Need to set the SecurityEnabled parameter as $True to make the group as security.
New-AzureADGroup -DisplayName "TestSecurityGroup" -SecurityEnabled $true -Description "Test security group" -MailEnabled $false -MailNickName "NotSet"
We can’t use this command to create a mail-enabled security group. We need to use Exchange Online PowerShell to create mail-enabled security groups. For more details, see this post: Create and Manage Mail-Enabled Security Groups using PowerShell
We will receive the following error message when we try to create a mail-enabled security group using the New-AzureADGroup cmdlet or Microsoft Graph API.
PS C:\> New-AzureADGroup -DisplayName “Test MSG” -SecurityEnabled $true -MailEnabled $true -MailNickName “testmsg” -Description “Test mail security group”
New-AzureADGroup : Error occurred while executing NewGroup
Code: Request_BadRequest
Message: Cannot Create a mail-enabled security groups and or distribution list.
Once the group is created successfully, you can check the group details by running the below command.
Get-AzureADGroup -SearchString "TestSecurityGroup"
Add Members and Owners to a Security group
We can use the Add-AzureADGroupMember cmdlet to add members to an Azure AD group.
$Group = "TestSecurityGroup"
$User = "[email protected]"
$GroupObj = Get-AzureADGroup -SearchString $Group
$UserObj = Get-AzureADUser -ObjectId $User
Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId
Use the Add-AzureADGroupOwner cmdlet to add users to a group as the owner.
$GroupObj = Get-AzureADGroup -SearchString "TestSecurityGroup"
$UserObj = Get-AzureADUser -ObjectId "[email protected]"
Add-AzureADGroupOwner -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId
Run the below command to display the current members of the security group.
$GroupObj = Get-AzureADGroup -SearchString "TestSecurityGroup"
Get-AzureADGroupMember -ObjectId $GroupObj.ObjectId
Use the below command to get the owners of the security group.
$GroupObj = Get-AzureADGroup -SearchString "TestSecurityGroup"
Get-AzureADGroupOwner -ObjectId $GroupObj.ObjectId
Add Bulk Members to a Security Group from CSV
Consider the CSV file “GroupMembers.csv” (Download sample CSV) that includes the column header “UserPrincipalName” which holds the user identity values in each row of the CSV file. Run the below script to add members in bulk to a security group by importing users from the given CSV file.
$Group = "TestSecurityGroup"
$GroupObj = Get-AzureADGroup -SearchString $Group
#Read group members from CSV file
$GroupMembers = Import-CSV "C:\Temp\GroupMembers.csv"
#Iterate members one by one and add to group
Foreach($GroupMember in $GroupMembers)
{
$User = $GroupMember."UserPrincipalName"
Write-Progress -Activity "Adding member" -Status $User
Try
{
$UserObj = Get-AzureADUser -ObjectId $User
Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId
}
catch
{
Write-Host "Error occurred for $User" -f Yellow
Write-Host $_ -f Red
}
}
Create Bulk Security Groups from CSV and Add Members
Consider the CSV file “SecurityGroups.csv” (Download sample CSV) that includes the column headers ‘GroupName’, ‘GroupDescription’, ‘Owners’, ‘Members‘. The CSV file holds the security group details (name and description) and owners/members as semi-colon-separated (;) values in each row of the CSV file. Run the following script to create security groups and add owners and members in bulk by importing details from the given CSV file.
#Read security group details from CSV file
$CSVRecords = Import-CSV "C:\Temp\SecurityGroups.csv"
$TotalItems = $CSVRecords.Count
$i = 0
#Iterate groups one by one and create
ForEach($CSVRecord in $CSVRecords)
{
$GroupName = $CSVRecord."GroupName"
$GroupDescription = $CSVRecord."GroupDescription"
#Split owners and members by semi-colon separator (;) and set in array
$Owners = If($CSVRecord."Owners"){ $CSVRecord."Owners" -split ';' } Else { $null }
$Members = If($CSVRecord."Members"){ $CSVRecord."Members" -split ';' } Else { $null }
Try
{
$i++;
Write-Progress -Activity "Creating group $GroupName" -Status "$i out of $TotalItems groups completed" -Id 1
#Create a new security group
$NewGroupObj = New-AzureADGroup -DisplayName $GroupName -SecurityEnabled $true -Description $GroupDescription -MailEnabled $false -MailNickName "NotSet" -ErrorAction Stop
#Add owners
if($Owners)
{
$TotalOwners = $Owners.Count
$OW = 0
ForEach($Owner in $Owners)
{
$OW++
Write-Progress -Activity "Adding owner $Owner" -Status "$OW out of $TotalOwners owners completed" -ParentId 1
Try
{
$UserObj = Get-AzureADUser -ObjectId $Owner -ErrorAction Stop
#Add owner to the new group
Add-AzureADGroupOwner -ObjectId $NewGroupObj.ObjectId -RefObjectId $UserObj.ObjectId -ErrorAction Stop
}
catch
{
Write-Host "Error occurred for $Owner" -f Yellow
Write-Host $_ -f Red
}
}
}
#Add members
if($Members)
{
$TotalMembers = $Members.Count
$m = 0
ForEach($Member in $Members)
{
$m++;
Write-Progress -Activity "Adding member $Member" -Status "$m out of $TotalMembers members completed" -ParentId 1
Try
{
$UserObj = Get-AzureADUser -ObjectId $Member -ErrorAction Stop
#Add a member to the new group
Add-AzureADGroupMember -ObjectId $NewGroupObj.ObjectId -RefObjectId $UserObj.ObjectId -ErrorAction Stop
}
catch
{
Write-Host "Error occurred for $Member" -f Yellow
Write-Host $_ -f Red
}
}
}
}
catch
{
Write-Host "Error occurred while creating group: $GroupName" -f Yellow
Write-Host $_ -f Red
}
}