How to Bulk Update Microsoft 365 Groups Owners with PowerShell

Microsoft 365 groups must have owners assigned to them, this means that you cannot create a new group without an owner assigned, this is true whether you create a group through the Microsoft Entra Admin Center or through Microsoft Graph PowerShell. 

With the day-to-day challenges of user management, you may find yourself in a position where you need to change the owner of an existing group or multiple groups. In this post, I demonstrate how to add and remove group owners from groups with PowerShell, as well as the script required to update multiple group owners for all groups in your organisation.

If you haven’t used Microsoft Graph PowerShell yet, check out the following resources:

View current groups owners with Get-MgGroupOwner

To view the current owners of your target group, first, get and store the details of your target group, use the Get-MgGroupOwner to extract the ID of each group owner then loop through each owner and use the Get-MgUser cmdlet to output the user information to your PowerShell session.

group = Get-MgGroup -Filter "DisplayName eq 'GROUP_NAME'"
$owners = Get-MgGroupOwner -GroupId $group.Id
Foreach ($owner in $owners){
    Get-MgUser -userid $owner.id | Select DisplayName, ID
}

Another solution to meaningfully display each owner, avoiding the need to make another call to Microsoft Graph, is to create a report with the information that is already stored in the $owners variable, just hidden, like below:

$OwnersList = [System.Collections.Generic.List[Object]]::new()
Foreach ($owner in $owners){
    $obj = [PSCustomObject][Ordered]@{  
         "DisplayName"             = $owner.AdditionalProperties.displayName
         "ID"                      = $owner.Id
    }
    $OwnersList.Add($obj)
}
$OwnersList

Adding a new group owner

To add a new group owner to an existing group, we can use the New-MgGroupOwner cmdlet. The new owner needs to be defined within a hashtable with an OData link, below I have defined the new owner to the $owner variable. Ensure you modify OWNER_UPN to the username of your target user.

$owner = @{ 
"@odata.id" = "https://graph.microsoft.com/v1.0/users/OWNER_UPN"
}

You will also need to know the ID of the group you are trying to modify. The simplest way to do this is to use the Get-MgGroup cmdlet with a filter on the DisplayName, like below. Ensure you modify GROUP_NAME to the name of your target group.

$group = Get-MgGroup -Filter "DisplayName eq 'GROUP_NAME'"

One you have these two pieces of information, you are ready to add the new group owner to your group.

 New-MgGroupOwner -GroupId $group.Id -BodyParameter $owner

Removing an existing group owner

To remove an owner from an existing group, you need to use the Remove-MgGroupOwnerByRef cmdlet. This allows us to remove a specific or all owners from a target group. 

Similar to before, start by storing the information of your target group so we can use it in the next step.

$group = Get-MgGroup -Filter "DisplayName eq 'GROUP_NAME'"

Then use one of the above examples to view and store the current group owners. For this example, we have saved the owners of our target group into the $OwnersList variable. As this variable is an array containing all of the current group owners, we can use ‘array slicing’ or square brackets to select a specific user from the array, like below:

$OwnersList[0]
or
$OwnersList[1]

Evaluate with the above which owner you need to remove, then use the below command to remove that owner from the group.

 Remove-MgGroupOwnerByRef -GroupId $group.Id -DirectoryObjectID $OwnersList[1].Id 

Adding and replacing multiple group owners

One of the limitations of the New-MgGroupOwner cmdlet is that it expects the body of the request in the form of a hashtable, which contains key-value pairs. With a hashtable, each key must be unique, hence the hashtable can only contain a single entry of a specific key, which in this case is the OData identifier of the owner user object.

For example, in the event that you need to replace two existing group owners with two new group owners for all groups in your tenant, you would need to specify each new group owner in their own hashtable and loop through adding them. Once they are added, you will then be enable to loop through the existing owners to remove them, hence replacing the owners.

The below script provides some logic to replace the owners as described above. Notice that I use Get-MgGroupOwner to store the group owners as the first step, this is because groups need an owner and cannot be left without one assigned. This is why we must add the owner and then remove the owner, in that order.

Connect-MgGraph -scope group.readwrite.all

$owner1 = @{ 
"@odata.id" = "https://graph.microsoft.com/v1.0/users/OWNER1ID"
}
$owner2 = @{ 
"@odata.id" = "https://graph.microsoft.com/v1.0/users/OWNER2ID" 
}

$groups = Get-MgGroup -All

Foreach ($group in $groups){
    $owners = $null
    $owners = Get-MgGroupOwner -GroupId $group.Id 
    New-MgGroupOwner -GroupId $group.Id -BodyParameter $owner1
    New-MgGroupOwner -GroupId $group.Id -BodyParameter $owner2
    Foreach ($owner in $owners) {
        Remove-MgGroupOwnerByRef -GroupId $group.Id -DirectoryObjectID $owner.Id 
    }
}

Wrapping up

There are many different complexities involved when adding, removing and replacing group owners on existing and active Microsoft 365 groups. The above example demonstrates the core functionality to perform these tasks, but they do not represent production-ready scripts. Always review someone else’s code and modify it to meet your own requirements.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply