Adding users to groups in Microsoft 365 or Microsoft Entra is a common need during the creation of new users and general ongoing support. While this is a simple task done through the web admin centres, there is still a need to fulfil this task programmatically using Microsoft Graph PowerShell for simplicity and automation purposes.
In this tutorial, I will show you how you can add single or multiple users to a group using Microsoft Graph PowerShell.
About the New-MgGroupMember cmdlet
The New-MgGroupMember cmdlet allows you to add a single user to a specific group, whether that be a security group, distribution group or Microsoft 365 group. As you can only add a single user at a time, a loop can be used to add multiple users in a single command or script.
New-MgGroupMember belongs to the Microsoft.Graph.Groups modules in Microsoft Graph PowerShell. This module can be manually installed with the following command:
Install-Module Microsoft.Graph.Groups
There is also a minimum level of permissions required to add users to groups, the following permissions must be consented to:
- GroupMember.ReadWrite.All
- User.ReadWrite.All
To connect to Microsoft Graph PowerShell with the above permissions, you can use the following command and log in with a Global Administrator user:
Connect-MgGraph -Scopes GroupMember.ReadWrite.All, User.ReadWrite.All
Once you are connected to Microsoft Graph PowerShell, you can proceed with adding users to groups.
Add a single user to a group with Microsoft Graph PowerShell
As with many Microsoft Graph PowerShell cmdlets, one of the quirks with the New-MgGroupMember cmdlet is that instead of using the unique name (or username) of the group or user, it requires you to enter the directory ObjectID instead, which is less user friendly.
The ObjectID for both the user and group can be easily found using the –Search parameter in Microsoft Graph PowerShell.
I go into more detail on the -Search parameter in my blog, How To Use Get-MgUser with Microsoft Graph PowerShell
Start by using the following command to store the directory object for both the target group and target user:
$group = Get-MgGroup -Search '"DisplayName:GroupName"' -ConsistencyLevel eventual
$user = Get-MgUser -Search '"DisplayName:UserDiplayName"' -ConsistencyLevel eventual
Then to add the user to the target group, use the New-MgGroupMember cmdlet and reference the ObjectID for both the user and group:
New-MgGroupMember -GroupId $group.id -DirectoryObjectId $user.id
Add multiple users to a group
The easiest way to add multiple users to a group is to use a PowerShell loop to cycle through a set of users, while running the New-MgGroupMember cmdlet.
For more details on how to use loops with PowerShell, check out my detailed blog: How to Use a Powershell Foreach Loop With Examples.
To start, we will use a similar piece of code compared to the last example. Instead, this time we will use the -Filter parameter with the Get-MgUser cmd to retrieve a list of users we want to target.
$group = Get-MgGroup -Search '"DisplayName:Test2"' -ConsistencyLevel eventual
$users = Get-MgUser -Filter "endsWith(mail,'ourcloudnetwork.com')" -ConsistencyLevel eventual
Now that the $users variable contains an array of users, we can loop through the users as follows:
Foreach ($user in $users) {
Write-host "Adding user $($User.DisplayName) ..." -ForegroundColor Cyan
New-MgGroupMember -GroupId $group.id -DirectoryObjectId $user.id
}