I was recently asked if there was a quick way to create 180 plus Security Groups in Microsoft Entra. I used to do a lot of PowerShell Scripting but not done much in recent years. Also with the switch to Microsoft Graph for management now I was treading in new territory.
Previously I would have used the CMDLets from connecting via the old ways of doing things by using:
Connect-MSOLServiceFrom there I could have used the New-MSOLGroup CMDLet and created them that way, but I thought, I need to get to grips with Microsoft Graph. I’ve used it in the past for a few things like management of Intune devices or adding a custom attribute to a device but no for day-to-day stuff, I’d always stick with what I know. But, one positive is that it works from my MacBook Pro.
So I wrote a script that would do the following:
- Set the Group Name
- Set the Group Description
- Set the Group Owner
This all required the Microsoft Graph to be installed, and it could be be simpler:
Install-Module Microsoft.GraphOnce the module was installed I could connect to it using the following command:
Connect-MgGraph -Scopes "Group.ReadWrite.All"Once Connected I used the following to create a new group
$param = @{
description="New Security Group Description"
displayName="New-Group"
mailEnabled=$false
securityEnabled=$true
mailNickname="New-Group"
}
New-MGGroup @paramThis then created a new security group called New-Group with a description of New Security Group Description:
Great, that’s the group created, however the Owner was still not set, to do this you needed to use the New-MGGroupOwner CMDLet and this will only work against the ID of the group and DirectoryID of the user:
New-MGGroupOwner -GroupID 89c589bf-4c48-48d3-be81-c3d818c95a95 -DirectoryObjectID f647124a-7747-4a80-aa75-bcc107c83cc8
When I then looked in Entra I saw the following:
So that’s great, that works when you create one group, what if you want to create multiple groups. Ultimately I needed to create a script that would do the same thing. To create the Security Groups would be the easy part as that is all done via variables and parameters using the “foreach” loop command in PowerShell, however adding the Group Owners was going to be the tricky bit, or so I thought. Actually that was quite simple by using the Get-MGGroup CMDlet and using the -Filter Parameter you can either use DisplayName or UserPrincipalName attribute. This will then provide a list of users with that Display Name or UPN along with all their attributes, including their ID, however I would recommend using the UPN as this will be unique.
Get-MgUser -Filter "UserPrincipalName eq 'andrew@kemponline.co.uk'" | FLThe same goes for the newly creates security group run the following command:
Get-MgGroup -Filter "DisplayName eq "'New-Group'" | FLSo what you can do is then use these to extract the ID from and then use in the New-MgGroupOwner CMDLet:
$GroupOwner = Get-MgUser -Filter "UserPrincipalName eq 'andrew@andykemp.com'"
$Group = Get-MgGroup -Filter "DisplayName eq 'New-Group'"
New-MgGroupOwner -GroupId $Group.ID -DirectoryObjectId $GroupOwner.ID
I could then use this in the script that I was creating to create multiple security groups in Entra.
So putting it all together and testing I could create multiple groups and add the owners to it also:
The final version of the script can be found here in my GitHub Repository it also requires a CSV file with the following headings
Name,Description,MailNickName,Owner
Group 7,”7th Group”,Group7,andrew@kemponline.co.uk
Group 8,”8th Group”,Group8,andrew@andykemp.com
Now I am sure there is an easier way to do this, but for me this worked a treat.