create group graph api REST API Archives - the Sysadmin Channel https://thesysadminchannel.com/tag/create-group-graph-api-rest-api/ Documenting My Life as a System Administrator Mon, 12 Dec 2022 18:08:54 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.3 144174110 New-MgGroup: Create A Group in Graph API https://thesysadminchannel.com/new-mggroup-create-a-group-in-graph-api/ https://thesysadminchannel.com/new-mggroup-create-a-group-in-graph-api/#respond Mon, 12 Dec 2022 18:08:54 +0000 https://thesysadminchannel.com/?p=4518 Groups are essential to the management of resources in any platform and it’s helpful to use them instead of using individual users. Today we’re going to cover how to create a group in Graph API using the PowerShell SDK for… Continue Reading

The post New-MgGroup: Create A Group in Graph API appeared first on the Sysadmin Channel.

]]> Groups are essential to the management of resources in any platform and it’s helpful to use them instead of using individual users. Today we’re going to cover how to create a group in Graph API using the PowerShell SDK for us IT Pros. This specifically goes over the usage of New-MgGroup and the various ways you can use it.

Requirements

In order to successfully create groups in Graph API, we’ll need to ensure we have the right permissions needed. Let’s touch a bit on what those might be.

  • User Administrator, Groups Administrator or Global Administrator Azure AD Role(s)
  • Microsoft.Graph PowerShell SDK Module (if not using the REST API)
  • Graph API Scopes:
    • Delegated: Group.ReadWrite.All, Directory.ReadWrite.All
    • Application: Group.Create, Group.ReadWrite.All, Directory.ReadWrite.All

Create A Group in Graph API with New-MgGroup

When creating groups in Azure AD, 99% of the time I create security enabled groups because I use them for providing access to specific resources. When I need to create groups with an email address, I use Distribution Lists (or Mail-enabled Security groups) in Exchange. Personally, I am not a fan of M365 (unified groups) but that’s a topic for another day.
 

Let’s dig into the code for creating a security group in Azure AD using Graph API.

$GroupParam = @{
     DisplayName = "SG-SecurityNoOwnerNoMember"
     GroupTypes = @(
     )
     SecurityEnabled     = $true
     IsAssignableToRole  = $false
     MailEnabled         = $false
     MailNickname        = (New-Guid).Guid.Substring(0,10)
}

New-MgGroup -BodyParameter $GroupParam

SG-SecurityNoOwnerNoMember

SG-SecurityNoOwnerNoMemberProperties

Create A Security Group with an Owner

We got the basics of creating a security group by using the PowerShell SDK and Graph API, but let’s add on to this by adding an owner to the group. You can add a Service Principal or a user account as an owner.
 

If you want to add a Service Principal, you’ll need to know the Service Principal Id so we can bind it to the parameters. If you’re looking to add a user, you can use the UserPrincipalName, or UserId. Let’s do this now.

$GroupParam = @{
     DisplayName = "SG-SecurityGroupWithOwner"
     GroupTypes = @(
     )
     SecurityEnabled     = $true
     IsAssignableToRole  = $false
     MailEnabled         = $false
     MailNickname        = (New-Guid).Guid.Substring(0,10)
     "Owners@odata.bind" = @(
         "https://graph.microsoft.com/v1.0/me",
         "https://graph.microsoft.com/v1.0/users/luke@thesysadminchannel.com",
         "https://graph.microsoft.com/v1.0/users/647e9c5e-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
         "https://graph.microsoft.com/v1.0/servicePrincipals/50ded543-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
     )
}
PS C:\> New-MgGroup -BodyParameter $GroupParam

SG-SecurityGroupwithOwner

SG-SecurityGroupwithOwnerProperties

Create A Group with an Owner and Members

Next up, let’s create a group with owners and a couple of members.

$GroupParam = @{
     DisplayName = "SG-SecurityGroupWithOwnerAndMembers"
     GroupTypes = @(
     )
     SecurityEnabled     = $true
     IsAssignableToRole  = $false
     MailEnabled         = $false
     MailNickname        = (New-Guid).Guid.Substring(0,10)
     "Owners@odata.bind" = @(
         "https://graph.microsoft.com/v1.0/me",
         "https://graph.microsoft.com/v1.0/users/luke@thesysadminchannel.com"
     )
     "Members@odata.bind" = @(
         "https://graph.microsoft.com/v1.0/me",
         "https://graph.microsoft.com/v1.0/users/buzz@thesysadminchannel.com"
     )
 }
New-MgGroup -BodyParameter $GroupParam

SG-SecurityGroupwithOwnerAndMembers

SG-SecurityGroupwithOwnerAndMembersProperties

Create A Dynamic Security Group with Membership Rules

Last and certainly not least, let’s get started with creating dynamic groups to add members with specific criteria. In my case, I am just going to add a statement where the account is enabled and the UPN is mine.

$GroupParam = @{
     DisplayName = "SG-DynamicSecurityGroup"
     GroupTypes = @(
         'DynamicMembership'
     )
     SecurityEnabled     = $true
     IsAssignableToRole  = $false
     MailEnabled         = $false
     membershipRuleProcessingState = 'On'
     MembershipRule = '(user.accountEnabled -eq true) and (user.userPrincipalName -eq "paul@thesysadminchannel.com")'
     MailNickname        = (New-Guid).Guid.Substring(0,10)
     "Owners@odata.bind" = @(
         "https://graph.microsoft.com/v1.0/me"
     )
 }

New-MgGroup -BodyParameter $GroupParam

SG-DynamicSecurityGroup

SG-DynamicSecurityGroupProperties

Conclusion

Hopefully this article was able to show you how to create a group in Graph API using the New-MgGroup cmdlet that comes with the Microsoft.Graph PowerShell SDK.

The post New-MgGroup: Create A Group in Graph API appeared first on the Sysadmin Channel.

]]> https://thesysadminchannel.com/new-mggroup-create-a-group-in-graph-api/feed/ 0 4518