Manage security groups with PowerShell
This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.
You can use PowerShell for Microsoft 365 as an alternative to the Microsoft 365 admin center to manage security groups.
This article describes listing, creating, changing settings, and removing security groups.
When a command block in this article requires that you specify variable values, use these steps.
- Copy the command block to the clipboard and paste it into Notepad or the PowerShell Integrated Script Environment (ISE).
- Fill in the variable values and remove the "<" and ">" characters.
- Run the commands in the PowerShell window or the PowerShell ISE.
See Maintain security group membership to manage group membership with PowerShell.
Use the Azure Active Directory PowerShell for Graph module
First, connect to your Microsoft 365 tenant.
List your groups
Use this command to list all of your groups.
Get-AzureADGroup
Use these commands to display the settings of a specific group by its display name.
$groupName="<display name of the group>"
Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }
Create a new group
Use this command to create a new security group.
New-AzureADGroup -Description "<group purpose>" -DisplayName "<name>" -MailEnabled $false -SecurityEnabled $true -MailNickName "<email name>"
Change the settings on a group
Display the settings of the group with these commands.
$groupName="<display name of the group>"
Get-AzureADGroup | Where { $_.DisplayName -eq $groupName } | Select *
Then, use the Set-AzureADGroup article to determine how to change a setting.
Remove a security group
Use these commands to remove a security group.
$groupName="<display name of the group>"
Remove-AzureADGroup -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId
Manage the owners of a security group
Use these commands to display the current owners of a security group.
$groupName="<display name of the group>"
Get-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId
Use these commands to add a user account by its user principal name (UPN) to the current owners of a security group.
$userUPN="<UPN of the user account to add>"
$groupName="<display name of the group>"
Add-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId -RefObjectId (Get-AzureADUser | Where { $_.UserPrincipalName -eq $userUPN }).ObjectId
Use these commands to add a user account by its display name to the current owners of a security group.
$userName="<Display name of the user account to add>"
$groupName="<display name of the group>"
Add-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId -RefObjectId (Get-AzureADUser | Where { $_.DisplayName -eq $userName }).ObjectId
Use these commands to remove a user account by its UPN to the current owners of a security group.
$userUPN="<UPN of the user account to remove>"
$groupName="<display name of the group>"
Remove-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId -OwnerId (Get-AzureADUser | Where { $_.UserPrincipalName -eq $userUPN }).ObjectId
Use these commands to remove a user account by its display name to the current owners of a security group.
$userName="<Display name of the user account to remove>"
$groupName="<display name of the group>"
Remove-AzureADGroupOwner -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId -OwnerId (Get-AzureADUser | Where { $_.DisplayName -eq $userName }).ObjectId
Use the Microsoft Azure Active Directory module for Windows PowerShell
First, connect to your Microsoft 365 tenant.
List your groups
Use this command to list all of your groups.
Get-MsolGroup
Use these commands to display the settings of a specific group by its display name.
$groupName="<display name of the group>"
Get-MsolGroup | Where { $_.DisplayName -eq $groupName }
Create a new group
Use this command to create a new security group.
New-MsolGroup -Description "<group purpose>" -DisplayName "<name>"
Change the settings on a group
Display the settings of the group with these commands.
$groupName="<display name of the group>"
Get-MsolGroup | Where { $_.DisplayName -eq $groupName } | Select *
Then, use the Set-MsolGroup article to determine how to change a setting.
Remove a security group
Use these commands to remove a security group.
$groupName="<display name of the group>"
Remove-MsolGroup -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $groupName }).ObjectId
See also
Manage Microsoft 365 user accounts, licenses, and groups with PowerShell
Feedback
Submit and view feedback for