Managing Groups in Microsoft 365 with Microsoft Graph and PowerShell

The group management in Microsoft 365 is a key task for administrators – especially when it comes to controlling access rights, assigning licenses, or managing users and devices. The replacement of the previous PowerShell modules AzureAD, AzureADPreview, and MSOnline with Microsoft Graph PowerShell marks a paradigm shift. Microsoft Graph PowerShell is based on the Graph API and, through a unified command model, allows access to nearly all relevant Microsoft 365 services – from Entra ID and Exchange to Intune and Teams. Groups can also be managed this way. The following article explains how this works and what alternatives are available. 

Setting up Microsoft Graph PowerShell

Microsoft Graph PowerShell is installed directly in PowerShell or in Windows Terminal via the PowerShell Gallery:

This command installs the entire Microsoft Graph SDK module for the current user. Using -Force ensures that any prompts are suppressed.

After successful installation, authentication takes place:

This command opens a login window and authenticates the session with the specified permissions. Group.ReadWrite.All allows you to create, edit, and delete groups. User.Read.All allows you to read user data. The permissions only apply to the current PowerShell session.

Display session permissions:

The command shows which permissions are currently effective. Administrators can view and manage the consented permissions via the Entra Admin Center (formerly Azure AD Portal) under “Enterprise Applications” → “Microsoft Graph Command Line Tools”.

Extension of permissions at runtime:

The command extends an existing connection with additional permissions. This is necessary if write permissions become necessary at a later date, for example for user changes.

Creating groups in Microsoft Graph PowerShell

This example creates a Microsoft 365 group with mail functionality and security features. The parameter groupTypes = “Unified” makes it compatible with Teams, Outlook, and Planner.

Groups can also be created, edited, and managed directly via a graphical interface in IDM-Portal 5.1, including their members. This is especially helpful for administrators who do not work exclusively with PowerShell.

Creating a dynamic group:

This group is based on a dynamic membership rule. Users with the attribute department = research are automatically added.

Add Members to Groups

In PowerShell, you can add new users to existing groups:

This command adds a user to a group using their object ID. You can get the group ID with Get-MgGroup and the user ID with Get-MgUser.

Add multiple members from a CSV file:

The command imports a CSV file with user IDs and adds all users listed in the file to the specified group. The Get-MgGroup cmdlet is used to retrieve information about groups in Microsoft Entra ID. It can be used to list all groups or to filter specific ones based on their properties. A helpful feature is the ability to use the -Filter parameter to select only groups with certain attributes.

Get-MgUser, on the other hand, is used to retrieve user information from Entra ID, such as the display name, UPN (User Principal Name), or the user’s ID. Both commands are necessary to determine object IDs that are required for advanced operations like group memberships or license assignments.

Example: Display all groups in the tenant

This command retrieves all groups in the connected client. Without the -All parameter, only the first page of results would be returned.

Example: Display only groups with the name “Marketing”

Here, an OData filter is used to perform a targeted query that only returns groups with an exact match for the display name.

Example: Finding a specific user based on their UPN

This retrieves the complete user data for the specified user.

Example: Display all users with the first name “Max”

This command displays all users whose first name begins with “Max.” The use of startsWith is ideal for dynamic searches.

Removing members from groups using PowerShell

PowerShell can also be used to remove groups from existing groups:

Of course, it is also possible to remove multiple users from groups at once:

The command uses a list of group IDs from a CSV file to remove a user from multiple groups at once.

With IDM-Portal 5.1, members can also be added or removed via drag & drop. Changes are saved directly in Entra ID. This offers an intuitive option for helpdesk or departmental administrators without needing to work with PowerShell.

Managing Group Owners in PowerShell

The owner has special permissions for a group. PowerShell also allows you to manage the group owner:

To customize the properties of a group, you can use the following command, for example:

The command updates certain fields of a group, such as description or display name.

Licensing groups with Microsoft Graph PowerShell

Group-based license assignment in Microsoft 365 allows administrators to assign licenses centrally to a group. Once a user is a member of this group, they automatically receive the assigned license. This significantly reduces administrative overhead and ensures consistent license distribution, especially in dynamic environments or role-based concepts. To assign a license, you must first determine the available license products in the tenant. This is done with the following command:

This command returns a list of all license SKUs available in the tenant. A unique identifier, known as the SkuId, is issued for each license. This is necessary in order to assign a license to a group. Once the desired SkuId is known, the license can be assigned to a group as follows:

Der Parameter GroupId steht für die Objekt-ID der Zielgruppe. Unter AddLicenses wird die SkuId angegeben, die hinzugefügt werden soll. Über RemoveLicenses können gleichzeitig nicht mehr benötigte Lizenzen entfernt werden. Im obigen Beispiel bleibt dieser Parameter leer, es wird nur eine Lizenz hinzugefügt.

Praxisbeispiel:

Ein Unternehmen möchte allen Mitarbeitern der Gruppe „Vertrieb“ automatisch eine Microsoft 365 Business Standard Lizenz bereitstellen. Die Gruppe wurde zuvor mit New-MgGroup erstellt. Nach Ermittlung der passenden SkuId kann die Lizenz mit folgendem Befehl der Gruppe zugeordnet werden:

From this point on, all members of this group will automatically be assigned the license. This makes management significantly more efficient, especially when team structures change. To check which licenses are currently assigned to a group, use the following command:

This method allows license assignments to be tracked and, if necessary, reversed. Group-based license assignment can be combined perfectly with automated group memberships and thus integrated into fully automated user and license management.

Advanced filtering and analysis of group structures in Microsoft 365

Microsoft Graph PowerShell provides powerful query options for evaluating specific group information in the Microsoft 365 tenant. A common use case is that you query all groups without a defined expiration date. This helps you identify potential legacy groups that the automatic expiration mechanisms don’t regulate. 

The ConsistencyLevel eventual parameter is necessary in order to use server-side filter and count functions. The query returns all groups without a set expiration date, which helps you identify permanently active security groups or obsolete project groups, for example.

You can also filter for specific group types, such as Microsoft Teams groups, by checking if their metadata contains the entry resourceProvisioningOptions with the value Team.

This query returns only those groups that were created as Microsoft Teams workspaces. This is useful when you want to create or clean up an overview of all active teams in an organization. To determine the group memberships of a specific user, you can use the following cmdlet:

This allows you to display all groups of which the user is currently a member. These can include security groups, Microsoft 365 groups, distribution lists, or even dynamic groups.

For administrators who prefer to work with a graphical user interface, the IDM-Portal from version 5.1 onwards offers full integration of Entra ID group management. It displays not only all cloud groups, but also groups synchronized from Active Directory (in read-only mode). In the user view, a user’s group memberships are visible and can be edited directly. Assignment is conveniently done via a drag-and-drop interface.

In addition, the IDM-Portal allows for the structured display of all group memberships at a glance and supports the traceability of changes through logging functions. This greatly simplifies the targeted analysis of group structures, which is a significant advantage in complex hybrid environments with mixed cloud and on-premises operations.

Analyze and manage permissions for cmdlets in a targeted manner

A key element when working with Microsoft Graph PowerShell is understanding the permissions required for specific cmdlets. Microsoft Graph is based on a finely granular permission model that relies on so-called scopes. These must be specified during authentication and determine what is permitted within a PowerShell session. To find out which permissions a specific cmdlet requires, the following command can be used:

This command analyzes the Get-MgUser cmdlet and returns a list of all permissions that are required or optional. The output includes both delegated permissions (which apply on behalf of the currently logged-in user) and application-related permissions (for app-only access via registered applications). In practice, this helps to identify the necessary rights before executing a cmdlet and to specify the appropriate scope.

Example: Checking rights for group editing

Anyone planning to edit groups should check in advance whether the Update-MgGroup cmdlet requires additional rights. The query command is:

The output then shows that you require Group.ReadWrite.All, among other things. This information is important because without this scope, you may formulate the command correctly but it will still fail due to lack of authorization. 

Assign rights consciously and securely

Knowing the required scopes is also important for security reasons. Instead of granting all permissions by default, this method allows you to define exactly which permissions a session needs. This reduces the attack surface and follows the principle of least privilege. The actual permissions and their scope can be reviewed graphically via the Microsoft Entra Admin Center (formerly Azure AD Portal). Under “Enterprise Applications”, you can open the app “Microsoft Graph PowerShell“. In the “Permissions” section, both granted admin consents and user consents are displayed. You can also see which users have consented to specific scopes. By clicking “Total Users”, you can view a list of affected accounts. Administrators also have the option to revoke consents individually. Combining PowerShell commands with transparent permission management in the Microsoft Entra Admin Center provides a solid foundation for controlled and audit-compliant use of Microsoft Graph PowerShell.

Overview of Group Management in IDM-Portal

Starting with IDM-Portal version 5.1, administrators have access to a fully integrated interface for directly managing Entra ID groups. In addition to the standard view and editing of group members, the portal offers a user-friendly structure deeply integrated with the Microsoft 365 environment. A key highlight is the ability to display both cloud-based and synchronized AD groups in a consistent view. The my-IAM RealGroup Service ensures that it applies all changes to Entra ID in real time through the underlying connection.

Another practical benefit lies in administrative control: Groups can not only be managed centrally, but also maintained directly in the user context. Memberships can be viewed and adjusted individually per user. Alongside the drag-and-drop feature in the members tab, the updated interface improves overall clarity. The introduction of trace logging further simplifies troubleshooting by automatically documenting technical details of actions. For complex environments with hybrid infrastructure, IDM-Portal offers an effective bridge that combines transparency with ease of use.