Active Directory groups in general, are one of best ways to maintain access for a certain resource. This has been one of the most fundamental concepts since the beginning of time and now that people are getting more and more involved in a cloud environment, it would be good to familiarize yourself with the action of how to add users to an Azure AD group.
Table Of Contents
Today we’re going to discuss several methods of getting our users added to groups. Generally they’ll look like this.
- Adding Members in the Azure Portal
- Adding Users to a Group
- Using the group to add additional members
- Adding Members using Powershell
It might seem a little nonsensical, but in the Azure Portal (GUI) you can accomplish this goal from the user object as well as the group object. Also, with anything Azure Active Directory related, let’s go over the requirements and permissions needed.
Requirements and Permissions
As mentioned, there are permissions required to successfully accomplish this task.
- User Administrator -or Global Administrator Azure AD Role
- If you’re using an administrative unit, group administrator is required for managing groups
- The AzureAD -or AzureADPreview Powershell Module (for Powershell Portion)
Add Users To An Azure AD Group in Azure Portal
This method is pretty straight forward and assuming you have the proper permissions required above, you can simply follow these steps.
- Navigate to https://portal.azure.com -> Azure Active Directory -> Users
- Search for the user you want to add
- Select Groups -> Add Memberships
Using A Group to Add Additional Members in Azure Portal
Similar to above where you want to add a user to a group through the user object, you can add the member to the group object. Here’s how:
- Navigate to https://portal.azure.com -> Azure Active Directory -> Groups
- Search for the group you want to update
- Select Members -> Add Memberships
Add Users To An Azure AD Group Using Powershell
When you want to scale your operations or just make adding group members faster through the CLI, you can easily accomplish this via Powershell. Let’s take a look at a code snippet to add our user, Buzz Lightyear, to the SG – FakeGroup AAD group.
#Get ObjectId for Buzz using the Get-AzureADUser cmdlet. PS C:\> Get-AzureADUser -ObjectId [email protected] ObjectId DisplayName UserPrincipalName UserType -------- ----------- ----------------- -------- 647e9c5e-4498-47b7-a85b-75a5e53cbf89 Buzz Lightyear [email protected] Member #Get ObjectId for the SG - FakeGroup using the Get-AzureADGroup cmdlet and specifying a searchstring. Personally, I would get the group ObjectId from the portal instead since multiple groups can have the same DisplayName. PS C:\> Get-AzureADGroup -SearchString 'SG - FakeGroup' ObjectId DisplayName Description -------- ----------- ----------- 51fb0824-5318-448c-8de6-ffc06c192b0d SG - FakeGroup A group thats not real #Use Add-AzureADGroupMember with the ObjectId as the groups ObjectId and the RegObjectId as the user's ObjectId PS C:\> Add-AzureADGroupMember -ObjectId 51fb0824-5318-448c-8de6-ffc06c192b0d -RefObjectId 647e9c5e-4498-47b7-a85b-75a5e53cbf89
Conclusion
Hopefully, this article was elaborate enough to show you how to add users to an Azure AD group using Powershell or using the Azure Portal (GUI). For me personally, since I’m a CLI type of guy, I always prefer to use to Powershell over the GUI because its so much more convenient.
If you would like to see more content like this, be sure to check out our Azure Gallery or better yet, all of our Powershell Posts
I got error: Add-AzureADGroupMember : Error occurred while executing AddGroupMember
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
Buy how would you do this for multiple users?
I did the following, check this snippet: https://pastebin.com/aHw85b3R
First I set the variable for $users to get the username from this text file.
Then I want to add those users to the group with Add-AzureADGroupMember.
But it doesn’t work and I get the following error:
Add-AzureADGroupMember : Error occurred while executing AddGroupMember
Code: Request_BadRequest
That is a nice article. Would like to see more of this. A small inquiry, did you copy and paste the 2 object id values in the last cmdlet or is there any other way to get those values there? Using variables could be an option but wondering what you prefer to use in these cases. Thanks in advance.