Group helpers
Requires EXO (for DGs/role groups) and Microsoft Graph for M365 groups where applicable. For complete, up-to-date info, run Get-Help <FunctionName> -Detailed.
Add-EntraGroupDevice
Add one or more devices to an Entra group (Graph scopes: Group.ReadWrite.All, Directory.Read.All).
Syntax
Add-EntraGroupDevice [-GroupName <String>] [-GroupId <String>] -DeviceIdentifier <String[]> [-TreatInputAsId] [-PassThru]
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
GroupName | String | Target group display name. | Yes* | - |
GroupId | String | Target group object ID (use instead of GroupName). | Yes* | - |
DeviceIdentifier | String[] | Device display name or object ID. Pipeline accepted. | Yes | - |
TreatInputAsId | Switch | Treat every DeviceIdentifier as an object ID (skip name lookup). | No | False |
PassThru | Switch | Emit a status object per device. | No | False |
*Use either GroupName or GroupId.
Examples
"PC1","PC2" | Add-EntraGroupDevice -GroupName "Zero Trust Devices"
Add-EntraGroupDevice -GroupId "00000000-0000-0000-0000-000000000000" -DeviceIdentifier "PC1" -PassThru
Add-EntraGroupUser
Add one or more users to an Entra group (Graph scopes: Group.ReadWrite.All, Directory.Read.All).
Syntax
Add-EntraGroupUser [-GroupName <String>] [-GroupId <String>] -UserIdentifier <String[]> [-TreatInputAsId] [-PassThru]
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
GroupName | String | Target group display name. | Yes* | - |
GroupId | String | Target group object ID (use instead of GroupName). | Yes* | - |
UserIdentifier | String[] | UPN/display name/object ID, plus short identifiers (alias/SamAccountName/UPN prefix). Pipeline accepted. | Yes | - |
TreatInputAsId | Switch | Treat every UserIdentifier as an object ID (skip name lookup). | No | False |
PassThru | Switch | Emit a status object per user. | No | False |
*Use either GroupName or GroupId.
Examples
"user1@contoso.com","user2@contoso.com" | Add-EntraGroupUser -GroupName "Project Team"
Add-EntraGroupUser -GroupId "00000000-0000-0000-0000-000000000000" -UserIdentifier "user1@contoso.com" -PassThru
Export-DistributionGroups
Export distribution groups and members.
Syntax
Export-DistributionGroups [-DistributionGroup <String[]>] [-Csv] [-CsvFolder <String>]
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
DistributionGroup | String[] | Group identity (name/alias/SMTP). Pipeline accepted. | No | All DGs |
Csv | Switch | Force CSV export. | No | False |
CsvFolder | String | Destination for CSV. | No | Current directory |
Example
Export-DistributionGroups -DistributionGroup "IT Team" -CsvFolder 'C:\Temp\DGs'
Export-DynamicDistributionGroups
Export dynamic DGs and evaluated members.
Syntax
Export-DynamicDistributionGroups [-DynamicDistributionGroup <String[]>] [-Csv] [-CsvFolder <String>]
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
DynamicDistributionGroup | String[] | Dynamic DG identity. Pipeline accepted. | No | All dynamic DGs |
Csv | Switch | Force CSV export. | No | False |
CsvFolder | String | Destination for CSV. | No | Current directory |
Example
Export-DynamicDistributionGroups -CsvFolder 'C:\Temp\DynDGs'
Export-M365Group
Export Microsoft 365 groups (members/owners).
Syntax
Export-M365Group [-M365Group <String[]>] [-Csv] [-CsvFolder <String>]
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
M365Group | String[] | Group identity (name/alias/SMTP). Pipeline accepted. | No | All M365 groups |
Csv | Switch | Force CSV export. | No | False |
CsvFolder | String | Destination for CSV. | No | Current directory |
Example
Export-M365Group -M365Group "Project A" -CsvFolder 'C:\Temp\M365'
Get-DynamicDistributionGroupFilter
Show the simplified filter of a dynamic distribution group.
Syntax
Get-DynamicDistributionGroupFilter -DynamicDistributionGroup <String> [-IncludeDefaults] [-AsObject]
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
DynamicDistributionGroup | String | Dynamic DG identity. Pipeline accepted. | Yes | - |
IncludeDefaults | Switch | Include default EXO filter clauses. | No | False |
AsObject | Switch | Return as object instead of string. | No | False |
Example
Get-DynamicDistributionGroupFilter -DynamicDistributionGroup "All Mailboxes"
Get-EntraGroupDevice
Show the Entra groups a device belongs to (Graph scopes: Group.Read.All, Directory.Read.All).
Syntax
Get-EntraGroupDevice -DeviceIdentifier <String> [-TreatInputAsId] [-GridView]
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
DeviceIdentifier | String | Device display name or object ID. Pipeline accepted. | Yes | - |
TreatInputAsId | Switch | Treat the DeviceIdentifier as an object ID (skip name lookup). | No | False |
GridView | Switch | Show details in Out-GridView. | No | False |
Examples
Get-EntraGroupDevice -DeviceIdentifier "PC123"
"00000000-0000-0000-0000-000000000000" | Get-EntraGroupDevice -TreatInputAsId -GridView
Get-EntraGroupUser
Show the Entra groups a user belongs to (Graph scopes: Group.Read.All, Directory.Read.All).
Syntax
Get-EntraGroupUser -UserIdentifier <String> [-TreatInputAsId] [-GridView]
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
UserIdentifier | String | UPN/display name/object ID, plus short identifiers (alias/SamAccountName/UPN prefix). Pipeline accepted. | Yes | - |
TreatInputAsId | Switch | Treat the UserIdentifier as an object ID (skip name lookup). | No | False |
GridView | Switch | Show details in Out-GridView. | No | False |
Examples
Get-EntraGroupUser -UserIdentifier "user@contoso.com"
"00000000-0000-0000-0000-000000000000" | Get-EntraGroupUser -TreatInputAsId -GridView
Get-EntraGroupMembers
Show the members of an Entra group (users, devices, and other directory objects) (Graph scopes: Group.Read.All, Directory.Read.All).
Syntax
Get-EntraGroupMembers [-GroupName <String>] [-GroupId <String>] [-IncludeDeviceUsers] [-GridView]
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
GroupName | String | Target group display name. Pipeline accepted. | Yes* | - |
GroupId | String | Target group object ID (use instead of GroupName). | Yes* | - |
IncludeDeviceUsers | Switch | When members are devices, resolve registered owners and users. | No | False |
GridView | Switch | Show details in Out-GridView. | No | False |
*Use either GroupName or GroupId.
Examples
Get-EntraGroupMembers "intune - app - netterm"
"intune - app - netterm" | Get-EntraGroupMembers
Get-EntraGroupMembers -GroupId "00000000-0000-0000-0000-000000000000" -GridView
Get-EntraGroupMembers "intune - app - netterm" -IncludeDeviceUsers
note
- When
-IncludeDeviceUsersis used and the member is a device, the output includes aDevice Owners/Userscolumn. - If owners and users are identical, the list is shown once; otherwise owners and users are combined in the same column.
Get-RoleGroupsMembers
List Exchange Online role groups and members.
Syntax
Get-RoleGroupsMembers [-AsTable] [-GridView]
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
AsTable | Switch | Show formatted table output. | No | False (objects) |
GridView | Switch | Show results in Out-GridView. | No | False |
Example
Get-RoleGroupsMembers -AsTable
Get-UserGroups
Show the groups (DGs/M365) a user/contact/group belongs to.
Syntax
Get-UserGroups -UserPrincipalName <String> [-GridView]
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
UserPrincipalName | String | User/contact/group identity. | Yes | - |
GridView | Switch | Show details in Out-GridView. | No | False |
Output
- Default output columns:
GroupName,GroupMail - With
-GridView: additional details are included (description, type, ID, etc.)
Breaking Change (version 1.2.0 or newer)
Get-UserGroups now returns GroupName and GroupMail instead of Group Name and Group Mail.
Update any legacy filters/scripts accordingly, for example: use $_.GroupName instead of $_.'Group Name'.
Examples
Get-UserGroups -UserPrincipalName 'user@contoso.com'
Get-UserGroups 'user@contoso.com' | Where-Object { $_.GroupName -like '*portion-of-group-name*' }
Remove-EntraGroupDevice
Remove one or more devices from an Entra group (Graph scopes: Group.ReadWrite.All, Directory.Read.All).
Syntax
Remove-EntraGroupDevice [-GroupName <String>] [-GroupId <String>] -DeviceIdentifier <String[]> [-TreatInputAsId] [-PassThru]
Remove-EntraGroupDevice [-GroupName <String>] [-GroupId <String>] -ClearAll [-PassThru]
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
GroupName | String | Target group display name. | Yes* | - |
GroupId | String | Target group object ID (use instead of GroupName). | Yes* | - |
DeviceIdentifier | String[] | Device display name or object ID. Pipeline accepted. | Yes | - |
TreatInputAsId | Switch | Treat every DeviceIdentifier as an object ID (skip name lookup). | No | False |
ClearAll | Switch | Remove all device members from the group (users and other objects are not removed). Prompts for confirmation. | No | False |
PassThru | Switch | Emit a status object per device. | No | False |
*Use either GroupName or GroupId.
Examples
"PC1","PC2" | Remove-EntraGroupDevice -GroupName "Zero Trust Devices"
Remove-EntraGroupDevice -GroupId "00000000-0000-0000-0000-000000000000" -DeviceIdentifier "PC1" -PassThru
Remove-EntraGroupDevice -GroupName "Zero Trust Devices" -ClearAll
Remove-EntraGroupDevice -GroupName "Zero Trust Devices" -ClearAll -WhatIf
Remove-EntraGroupUser
Remove one or more users from an Entra group (Graph scopes: Group.ReadWrite.All, Directory.Read.All).
Syntax
Remove-EntraGroupUser [-GroupName <String>] [-GroupId <String>] -UserIdentifier <String[]> [-TreatInputAsId] [-PassThru]
Remove-EntraGroupUser [-GroupName <String>] [-GroupId <String>] -ClearAll [-PassThru]
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
GroupName | String | Target group display name. | Yes* | - |
GroupId | String | Target group object ID (use instead of GroupName). | Yes* | - |
UserIdentifier | String[] | UPN/display name/object ID, plus short identifiers (alias/SamAccountName/UPN prefix). Pipeline accepted. | Yes | - |
TreatInputAsId | Switch | Treat every UserIdentifier as an object ID (skip name lookup). | No | False |
ClearAll | Switch | Remove all user members from the group (devices and other objects are not removed). Prompts for confirmation. | No | False |
PassThru | Switch | Emit a status object per user. | No | False |
*Use either GroupName or GroupId.
Examples
"user1@contoso.com","user2@contoso.com" | Remove-EntraGroupUser -GroupName "Project Team"
Remove-EntraGroupUser -GroupId "00000000-0000-0000-0000-000000000000" -UserIdentifier "user1@contoso.com" -PassThru
Remove-EntraGroupUser -GroupName "Project Team" -ClearAll
Remove-EntraGroupUser -GroupName "Project Team" -ClearAll -WhatIf
User resolution
Add/Get/Remove-EntraGroupUser now use the shared resolver (Find-UserRecipient), so short identifiers are supported in addition to full UPNs and object IDs.
Search-EntraGroup
Find Entra groups by display name and/or description (Graph scopes: Group.Read.All, Directory.Read.All).
Syntax
Search-EntraGroup -SearchText <String> [-SearchIn <String>] [-GridView]
| Parameter | Type | Description | Required | Default |
|---|---|---|---|---|
SearchText | String | Text to search in display name and/or description. Pipeline accepted. | Yes | - |
SearchIn | String | Search target: DisplayName, Description, Any. | No | DisplayName |
GridView | Switch | Show details in Out-GridView. | No | False |
Examples
Search-EntraGroup -SearchText "java"
Search-EntraGroup -SearchText "jre"
Search-EntraGroup -SearchText "legacy apps" -SearchIn Description
"marketing" | Search-EntraGroup -SearchIn Any -GridView