Clearing up user group membership using PowerShell Graph API Remove-MgGroupMemberByRef ?

Question

Clearing up user group membership using PowerShell Graph API Remove-MgGroupMemberByRef ?

EnterpriseArchitect 6,326

Using the latest PowerShell Graph API, how can I remove Azure AD group members from a user account?

The input will be user principal name, and the command will be using Remove-MgGroupMemberByRef cmdlet: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.groups/remove-mggroupmemberbyref?view=graph-powershell-1.0&preserve-view=true

CarlZhao-MSFT 46,426 Reputation points

2022-12-14T09:14:45.3+00:00

Hi @EnterpriseArchitect
What error are you experiencing?

EnterpriseArchitect 6,326

I cannot remove the User from the Dynamic Group membership.

PS>TerminatingError(Remove-AzureADGroupMember): "Error occurred while executing RemoveGroupMember   
Code: Authorization_RequestDenied  
Message: Insufficient privileges to complete the operation.  
RequestId: edc9e3a6-9d71-435c-b57b-abcdefg  
DateTimeStamp: Tue, 13 Dec 2022 03:14:22 GMT  
HttpStatusCode: Forbidden  
HttpStatusDescription: Forbidden  
HttpResponseStatus: Completed

CarlZhao-MSFT 46,426 Reputation points

2023-01-06T09:16:21.513+00:00

Hi @EnterpriseArchitect , happy new year!

Dynamic group members are automatically added or removed from a group based on dynamic membership rules, and you cannot manually add or remove members of a dynamic group, and they are automatically removed only when a user or device no longer satisfies the rule.

Reference dynamic membership doc: https://learn.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0#dynamic-membership.

2 answers

Your answer

CarlZhao-MSFT 46,426 Reputation points

2022-12-14T09:14:45.3+00:00

Hi @EnterpriseArchitect
What error are you experiencing?
EnterpriseArchitect 6,326 Reputation points

2022-12-14T13:22:05.673+00:00

I cannot remove the User from the Dynamic Group membership.

PS>TerminatingError(Remove-AzureADGroupMember): "Error occurred while executing RemoveGroupMember Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. RequestId: edc9e3a6-9d71-435c-b57b-abcdefg DateTimeStamp: Tue, 13 Dec 2022 03:14:22 GMT HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed
CarlZhao-MSFT 46,426 Reputation points

2023-01-06T09:16:21.513+00:00

Hi @EnterpriseArchitect , happy new year!

Dynamic group members are automatically added or removed from a group based on dynamic membership rules, and you cannot manually add or remove members of a dynamic group, and they are automatically removed only when a user or device no longer satisfies the rule.

Reference dynamic membership doc: https://learn.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0#dynamic-membership.

Answer 1

CarlZhao-MSFT 46,426

Hi @EnterpriseArchitect

The Remove-MgGroupMemberByRef command of the Graph PowerShell SDK doesn't work for me, even though I already have the latest graph groups module, not sure if this is an unknown issue.

As an alternative solution, I use PowerShell online to call the API endpoint directly, and it works fine for me. Reference:

  $clientID = 'client id'       
  $secretKey = 'client secret'      
  $tenantID = 'tenant id'                   
  $authUrl = "https://login.microsoftonline.com/" + $tenantID + "/oauth2/v2.0/token/"      
  $body = @{       
      "scope" = "https://graph.microsoft.com/.default";       
      "grant_type" = "client_credentials";       
      "client_id" = $ClientID       
      "client_secret" = $secretKey       
  }  
          
  $authToken = Invoke-RestMethod -Uri $authUrl –Method POST -Body $body                   
  $url = "https://graph.microsoft.com/v1.0/groups/{group id}/members/{member object id}/`$ref"     
  $headers = @{       
  "Authorization" = "Bearer $($authToken.access_token)"  
   "Content-type"  = "application/json"       
  }       
Invoke-RestMethod -Uri $url -Headers $headers -Method Delete

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

EnterpriseArchitect 6,326 Reputation points

2022-12-14T13:03:15.173+00:00

Hi @CarlZhao-MSFT , thank you for the update, yes, that's what I' have thought so, hence I post in this forum.
How can I clear out all of the AD group members from one user?
The script input is User@keyman .com, then the script will go through all the Azure AD group membership and then clears them all.
CarlZhao-MSFT 46,426 Reputation points

2023-01-06T10:12:47.06+00:00

Hi @EnterpriseArchitect
I have posted a new answer due to word count limit, please refer to the answer below.
CarlZhao-MSFT 46,426 Reputation points

2023-01-17T09:22:25.0333333+00:00

Hi @Enterprise Architect

I am checking to see if this issue is resolved or not. If you have any concerns, please feel free to reply.
EnterpriseArchitect 6,326 Reputation points

2023-12-21T01:04:48.6833333+00:00
Hi @CarlZhao-MSFT ,

Can you please confirm if using both of these commands, the corresponding Teams, SharePoint and Exchange Online object references are also deleted as well?

https://learn.microsoft.com/en-us/powershell/module/azuread/remove-azureadgroup?view=azureadps-2.0 https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.groups/remove-mggroup?view=graph-powershell-1.0

Answer 2

Hi @EnterpriseArchitect , sorry for the late reply.

I can do this using the Graph C# SDK, but your users can't be members of dynamic groups or you'll get an error.

using Azure.Identity;   
using Microsoft.Graph;  
  
  
try  
{  
  
 var scopes = new[] { "https://graph.microsoft.com/.default" };  
  
 var tenantId = "tenant id";  
  
 // Values from app registration  
 var clientId = "client id";  
 var clientSecret = "client secret";  
  
 // using Azure.Identity;  
 var options = new TokenCredentialOptions  
{  
      AuthorityHost = AzureAuthorityHosts.AzurePublicCloud  
};  
  
 // https://learn.microsoft.com/dotnet/api/azure.identity.clientsecretcredential  
 var clientSecretCredential = new ClientSecretCredential(  
      tenantId, clientId, clientSecret, options);  
  
      var graphClient = new GraphServiceClient(clientSecretCredential, scopes);  
  
      var memberOf = await graphClient.Users["user object id"].MemberOf.Request().GetAsync();  
  
      for (int i = 0; i < memberOf.Count; i++)  
      {  
  
            var groupId = memberOf[i].Id.ToString();  
  
            await graphClient.Groups[groupId].Members["user object id"].Reference.Request().DeleteAsync();  
  
      }  
}  
catch (Exception ex) {   
  
      Console.WriteLine(ex);  
}

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

EnterpriseArchitect 6,326 Reputation points

2023-12-21T01:02:56.2133333+00:00

Hi @carl zhao ,
Unfortunately I do not have access to the C# development environment, hence I only able to test it using the PowerShell.

Share via

Clearing up user group membership using PowerShell Graph API Remove-MgGroupMemberByRef ?

2 answers

Your answer