OFFICE 365: SECURITY GROUPS MANAGEMENT USING POWERSHELL
Security Groups are the crucial part of any system as they define the Authorization on the available resources for the Users requesting access. They are also important to categorize permission boundaries for the set of users at once. So it is really important to streamline the process of managing Security Groups for any system.
Though the management activities are repetitive and boring if we need to repeat same steps again and again over the period of time.
Thankfully we can automate these repetitive tasks using PowerShell Scripts which can take inputs from the CSV or Text Files for the input values and perform necessary actions.
In this article, we will discuss the automation scripts required for managing Security Groups in Office 365 using PowerShell.
If you want to follow along then the prerequisite for this article are:
- Having an O365 Account created
- PowerShell for Office 365 configured
If the above prerequisites do not meet then I would recommend you to read one of my earlier article “Office 365: How to Configure PowerShell for O365” to get to know the steps of installing prerequisites.
Lets’ login to O365 Account and visit the Admin Center
https://howtodowithsharepoint.files.wordpress.com/2015/12/119.png?w=800
Navigate to Admin Center by clicking the “Admin” Tile on the Application Dashboard as shown below
https://howtodowithsharepoint.files.wordpress.com/2015/12/210.png?w=800
Now in the upcoming sections, we will see to the respective PowerShell Commands to deal with each of the management tasks
How to Add new Security Groups
Navigate Admin Center => Groups
For the first time in my case, there are no security groups are present since this is a new O365 Account
https://howtodowithsharepoint.files.wordpress.com/2015/12/35.png?w=800
Run “New-MsolGroup” command where “DisplayName” specifies the name of the Security Group and “Description” specify the description for the group as shown below
New-MsolGroup -DisplayName “Test Security Group” -Description “This is created for testing.”
https://howtodowithsharepoint.files.wordpress.com/2015/12/45.png?w=800
Once the command gets executed successfully, navigate Admin Center => Groups to verify that new group has been added.
It is worth to note that “Default Group Type” for any group added using the above command will be “Security”
https://howtodowithsharepoint.files.wordpress.com/2015/12/55.png?w=800
How to export all Security Groups
We can export all the Security Groups from the O365 account by using “Get-MsolGroup” command as shown below
Get-MsolGroup
https://howtodowithsharepoint.files.wordpress.com/2015/12/65.png?w=800
Once the command is executed successfully we can see the details of all the available Security Groups on the Host Window. Alternatively, we can export the results to text files by piping the results to “Out-File” command.
How to export all Security Groups filtered by Group Properties
We can export a filtered set of Security Groups from the O365 account based on any property of the Group. In the following example, I am using “DisplayName” property to filter the results as shown below
Get-MsolGroup | Where-Object {$_.DisplayName -eq “Test Security Group”}
https://howtodowithsharepoint.files.wordpress.com/2015/12/75.png?w=800
Once the command is executed successfully we can see the details of the specific Security Groups matching the filter criteria
How to export all Security Groups filtered by Group Type
We can export a Security Groups based on its type also by using “GroupType”. In the following example we are going to filter all Security Groups which are of type “Security” from the O365 account.
Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}
https://howtodowithsharepoint.files.wordpress.com/2015/12/85.png?w=800
Once the command is executed successfully we can see the details of all the Security Group of type “Security” and with DisplayName = “Test Security Group”
How to Add Users to Security Groups
Run the following command to check the existing members which are present in the Security Group
$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}
Get-MsolGroupMember -GroupObjectId $securityGroup.ObjectId
https://howtodowithsharepoint.files.wordpress.com/2015/12/95.png?w=800
Once the command executed successfully we will get the list of Users already added to the group
We can see the same information by Editing the Group within the Browser as shown below:
https://howtodowithsharepoint.files.wordpress.com/2015/12/105.png?w=800
https://howtodowithsharepoint.files.wordpress.com/2015/12/1110.png?w=800
We can add new members to the Security Group by using the following command
Create Object required Security Group
$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}
Create Object of the member depicted by “UserPrincipalName” parameter that needs to be added to the group
$member = Get-MsolUser -UserPrincipalName spdev001@spdevs001.onmicrosoft.com
Then use the following command to add the member to the group by specifying Group Object ID & Member Object ID
Add-MsolGroupMember -GroupObjectId $securityGroup.ObjectId -GroupMemberType “User” -GroupMemberObjectId $member.ObjectId
https://howtodowithsharepoint.files.wordpress.com/2015/12/125.png?w=800
Once the command gets executed successfully we can see a new member has been added to the group.
We can verify the result of operation by using PowerShell Command
$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}
Get-MsolGroupMember -GroupObjectId $securityGroup.ObjectId
https://howtodowithsharepoint.files.wordpress.com/2015/12/135.png?w=800
We can also verify the result of operation by Browser as shown below
https://howtodowithsharepoint.files.wordpress.com/2015/12/145.png?w=800
https://howtodowithsharepoint.files.wordpress.com/2015/12/155.png?w=800
How to remove Users from Security Groups
We can we remove the Users from specific security group by using the following set of commands
Create the Object of the respective group from which the user needs to be removed
$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}
Create the object of the respective member that needs to be deleted from the group
$member = Get-MsolUser -UserPrincipalName spdev001@spdevs001.onmicrosoft.com
Then we can use “Remove-MsoLGroupMember” command to remove the member depicted by “Groupmemberobjectid” parameter from the group depicted by “GroupObjectId” parameter as shown below
Remove-MsoLGroupMember -GroupObjectId $securityGroup.ObjectId -GroupMemberType User -Groupmemberobjectid $member.ObjectId
https://howtodowithsharepoint.files.wordpress.com/2015/12/165.png?w=800
Once the command gets executed successfully we can see the respective member gets deleted from the Security Group in question.
Now we can verify the delete operation by using the following PowerShell Command
$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}
Get-MsolGroupMember -GroupObjectId $securityGroup.ObjectId
https://howtodowithsharepoint.files.wordpress.com/2015/12/174.png?w=800
Or we can verify the same via Browser by Editing the Security Group as shown below
https://howtodowithsharepoint.files.wordpress.com/2015/12/184.png?w=800
https://howtodowithsharepoint.files.wordpress.com/2015/12/194.png?w=800
How to Remove Security Groups
We can use the following command to remove the Security Groups
Create an object to the respective group
$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}
Execute “Remove-MsolGroup” command to remove the group depicted by “objectid” parameter as shown below
Remove-MsolGroup -objectid $securityGroup.ObjectId
On execution, this command will ask you for the confirmation on delete action
Enter your choice “Y” to continue “N” to cancel
https://howtodowithsharepoint.files.wordpress.com/2015/12/204.png?w=800
https://howtodowithsharepoint.files.wordpress.com/2015/12/214.png?w=800
Once the command is executed successfully we can go back to Groups section in Admin Center to verify the Delete Action
https://howtodowithsharepoint.files.wordpress.com/2015/12/224.png?w=800
All of the above tasks can be automated by incorporating the CSV files to receive input from and perform the respective actions.
Hope you find it helpful.