Groups are essential to the management of resources in any platform and it’s helpful to use them instead of using individual users. Today we’re going to cover how to create a group in Graph API using the PowerShell SDK for us IT Pros. This specifically goes over the usage of New-MgGroup and the various ways you can use it.
Table Of Contents
Requirements
In order to successfully create groups in Graph API, we’ll need to ensure we have the right permissions needed. Let’s touch a bit on what those might be.
- User Administrator, Groups Administrator or Global Administrator Azure AD Role(s)
- Microsoft.Graph PowerShell SDK Module (if not using the REST API)
- Graph API Scopes:
- Delegated: Group.ReadWrite.All, Directory.ReadWrite.All
- Application: Group.Create, Group.ReadWrite.All, Directory.ReadWrite.All
Create A Group in Graph API with New-MgGroup
When creating groups in Azure AD, 99% of the time I create security enabled groups because I use them for providing access to specific resources. When I need to create groups with an email address, I use Distribution Lists (or Mail-enabled Security groups) in Exchange. Personally, I am not a fan of M365 (unified groups) but that’s a topic for another day.
Let’s dig into the code for creating a security group in Azure AD using Graph API.
$GroupParam = @{
DisplayName = "SG-SecurityNoOwnerNoMember"
GroupTypes = @(
)
SecurityEnabled = $true
IsAssignableToRole = $false
MailEnabled = $false
MailNickname = (New-Guid).Guid.Substring(0,10)
}
New-MgGroup -BodyParameter $GroupParam
Create A Security Group with an Owner
We got the basics of creating a security group by using the PowerShell SDK and Graph API, but let’s add on to this by adding an owner to the group. You can add a Service Principal or a user account as an owner.
If you want to add a Service Principal, you’ll need to know the Service Principal Id so we can bind it to the parameters. If you’re looking to add a user, you can use the UserPrincipalName, or UserId. Let’s do this now.
$GroupParam = @{
DisplayName = "SG-SecurityGroupWithOwner"
GroupTypes = @(
)
SecurityEnabled = $true
IsAssignableToRole = $false
MailEnabled = $false
MailNickname = (New-Guid).Guid.Substring(0,10)
"[email protected]" = @(
"https://graph.microsoft.com/v1.0/me",
"https://graph.microsoft.com/v1.0/users/[email protected]",
"https://graph.microsoft.com/v1.0/users/647e9c5e-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
"https://graph.microsoft.com/v1.0/servicePrincipals/50ded543-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
)
}
PS C:\> New-MgGroup -BodyParameter $GroupParam
Create A Group with an Owner and Members
Next up, let’s create a group with owners and a couple of members.
$GroupParam = @{
DisplayName = "SG-SecurityGroupWithOwnerAndMembers"
GroupTypes = @(
)
SecurityEnabled = $true
IsAssignableToRole = $false
MailEnabled = $false
MailNickname = (New-Guid).Guid.Substring(0,10)
"[email protected]" = @(
"https://graph.microsoft.com/v1.0/me",
"https://graph.microsoft.com/v1.0/users/[email protected]"
)
"[email protected]" = @(
"https://graph.microsoft.com/v1.0/me",
"https://graph.microsoft.com/v1.0/users/[email protected]"
)
}
New-MgGroup -BodyParameter $GroupParam
Create A Dynamic Security Group with Membership Rules
Last and certainly not least, let’s get started with creating dynamic groups to add members with specific criteria. In my case, I am just going to add a statement where the account is enabled and the UPN is mine.
$GroupParam = @{
DisplayName = "SG-DynamicSecurityGroup"
GroupTypes = @(
'DynamicMembership'
)
SecurityEnabled = $true
IsAssignableToRole = $false
MailEnabled = $false
membershipRuleProcessingState = 'On'
MembershipRule = '(user.accountEnabled -eq true) and (user.userPrincipalName -eq "[email protected]")'
MailNickname = (New-Guid).Guid.Substring(0,10)
"[email protected]" = @(
"https://graph.microsoft.com/v1.0/me"
)
}
New-MgGroup -BodyParameter $GroupParam
Conclusion
Hopefully this article was able to show you how to create a group in Graph API using the New-MgGroup cmdlet that comes with the Microsoft.Graph PowerShell SDK.
