Group helpers
Requires EXO (for DGs/role groups) and Microsoft Graph for M365 groups where applicable. For complete, up-to-date info, run Get-Help <FunctionName> -Detailed.
Add-EntraGroupDevice
Add one or more devices to an Entra group (Graph scopes: Group.ReadWrite.All, Directory.Read.All).
Syntax
Add-EntraGroupDevice [-GroupName <String>] [-GroupId <String>] -DeviceIdentifier <String[]> [-TreatInputAsId] [-PassThru]
| Parameter | Description | Required | Default |
|---|---|---|---|
GroupName | Target group display name. | Yes* | - |
GroupId | Target group object ID (use instead of GroupName). | Yes* | - |
DeviceIdentifier | Device display name or object ID. Pipeline accepted. | Yes | - |
TreatInputAsId | Treat every DeviceIdentifier as an object ID (skip name lookup). | No | False |
PassThru | Emit a status object per device. | No | False |
*Use either GroupName or GroupId.
Examples
"PC1","PC2" | Add-EntraGroupDevice -GroupName "Zero Trust Devices"
Add-EntraGroupDevice -GroupId "00000000-0000-0000-0000-000000000000" -DeviceIdentifier "PC1" -PassThru
Add-EntraGroupUser
Add one or more users to an Entra group (Graph scopes: Group.ReadWrite.All, Directory.Read.All).
Syntax
Add-EntraGroupUser [-GroupName <String>] [-GroupId <String>] -UserIdentifier <String[]> [-TreatInputAsId] [-PassThru]
| Parameter | Description | Required | Default |
|---|---|---|---|
GroupName | Target group display name. | Yes* | - |
GroupId | Target group object ID (use instead of GroupName). | Yes* | - |
UserIdentifier | UPN/display name/object ID. Pipeline accepted. | Yes | - |
TreatInputAsId | Treat every UserIdentifier as an object ID (skip name lookup). | No | False |
PassThru | Emit a status object per user. | No | False |
*Use either GroupName or GroupId.
Examples
"user1@contoso.com","user2@contoso.com" | Add-EntraGroupUser -GroupName "Project Team"
Add-EntraGroupUser -GroupId "00000000-0000-0000-0000-000000000000" -UserIdentifier "user1@contoso.com" -PassThru
Export-DistributionGroups
Export distribution groups and members.
Syntax
Export-DistributionGroups [-DistributionGroup <String[]>] [-Csv] [-CsvFolder <String>]
| Parameter | Description | Required | Default |
|---|---|---|---|
DistributionGroup | Group identity (name/alias/SMTP). Pipeline accepted. | No | All DGs |
Csv | Force CSV export. | No | False |
CsvFolder | Destination for CSV. | No | Current directory |
Example
Export-DistributionGroups -DistributionGroup "IT Team" -CsvFolder 'C:\Temp\DGs'
Export-DynamicDistributionGroups
Export dynamic DGs and evaluated members.
Syntax
Export-DynamicDistributionGroups [-DynamicDistributionGroup <String[]>] [-Csv] [-CsvFolder <String>]
| Parameter | Description | Required | Default |
|---|---|---|---|
DynamicDistributionGroup | Dynamic DG identity. Pipeline accepted. | No | All dynamic DGs |
Csv | Force CSV export. | No | False |
CsvFolder | Destination for CSV. | No | Current directory |
Example
Export-DynamicDistributionGroups -CsvFolder 'C:\Temp\DynDGs'
Export-M365Group
Export Microsoft 365 groups (members/owners).
Syntax
Export-M365Group [-M365Group <String[]>] [-Csv] [-CsvFolder <String>]
| Parameter | Description | Required | Default |
|---|---|---|---|
M365Group | Group identity (name/alias/SMTP). Pipeline accepted. | No | All M365 groups |
Csv | Force CSV export. | No | False |
CsvFolder | Destination for CSV. | No | Current directory |
Example
Export-M365Group -M365Group "Project A" -CsvFolder 'C:\Temp\M365'
Get-DynamicDistributionGroupFilter
Show the simplified filter of a dynamic distribution group.
Syntax
Get-DynamicDistributionGroupFilter -DynamicDistributionGroup <String> [-IncludeDefaults] [-AsObject]
| Parameter | Description | Required |
|---|---|---|
DynamicDistributionGroup | Dynamic DG identity. Pipeline accepted. | Yes |
IncludeDefaults | Include default EXO filter clauses. | No |
AsObject | Return as object instead of string. | No |
Example
Get-DynamicDistributionGroupFilter -DynamicDistributionGroup "All Mailboxes"
Get-EntraGroupDevice
Show the Entra groups a device belongs to (Graph scopes: Group.Read.All, Directory.Read.All).
Syntax
Get-EntraGroupDevice -DeviceIdentifier <String> [-TreatInputAsId] [-GridView]
| Parameter | Description | Required | Default |
|---|---|---|---|
DeviceIdentifier | Device display name or object ID. Pipeline accepted. | Yes | - |
TreatInputAsId | Treat the DeviceIdentifier as an object ID (skip name lookup). | No | False |
GridView | Show details in Out-GridView. | No | False |
Examples
Get-EntraGroupDevice -DeviceIdentifier "PC123"
"00000000-0000-0000-0000-000000000000" | Get-EntraGroupDevice -TreatInputAsId -GridView
Get-EntraGroupUser
Show the Entra groups a user belongs to (Graph scopes: Group.Read.All, Directory.Read.All).
Syntax
Get-EntraGroupUser -UserIdentifier <String> [-TreatInputAsId] [-GridView]
| Parameter | Description | Required | Default |
|---|---|---|---|
UserIdentifier | UPN/display name/object ID. Pipeline accepted. | Yes | - |
TreatInputAsId | Treat the UserIdentifier as an object ID (skip name lookup). | No | False |
GridView | Show details in Out-GridView. | No | False |
Examples
Get-EntraGroupUser -UserIdentifier "user@contoso.com"
"00000000-0000-0000-0000-000000000000" | Get-EntraGroupUser -TreatInputAsId -GridView
Get-RoleGroupsMembers
List Exchange Online role groups and members.
Syntax
Get-RoleGroupsMembers [-AsTable] [-GridView]
| Parameter | Description | Required | Default |
|---|---|---|---|
AsTable | Show formatted table output. | No | False (objects) |
GridView | Show results in Out-GridView. | No | False |
Example
Get-RoleGroupsMembers -AsTable
Get-UserGroups
Show the groups (DGs/M365) a user/contact/group belongs to.
Syntax
Get-UserGroups -UserPrincipalName <String> [-GridView]
| Parameter | Description | Required | Default |
|---|---|---|---|
UserPrincipalName | User/contact/group identity. | Yes | - |
GridView | Show details in Out-GridView. | No | False |
Example
Get-UserGroups -UserPrincipalName 'user@contoso.com'
Remove-EntraGroupDevice
Remove one or more devices from an Entra group (Graph scopes: Group.ReadWrite.All, Directory.Read.All).
Syntax
Remove-EntraGroupDevice [-GroupName <String>] [-GroupId <String>] -DeviceIdentifier <String[]> [-TreatInputAsId] [-PassThru]
| Parameter | Description | Required | Default |
|---|---|---|---|
GroupName | Target group display name. | Yes* | - |
GroupId | Target group object ID (use instead of GroupName). | Yes* | - |
DeviceIdentifier | Device display name or object ID. Pipeline accepted. | Yes | - |
TreatInputAsId | Treat every DeviceIdentifier as an object ID (skip name lookup). | No | False |
PassThru | Emit a status object per device. | No | False |
*Use either GroupName or GroupId.
Examples
"PC1","PC2" | Remove-EntraGroupDevice -GroupName "Zero Trust Devices"
Remove-EntraGroupDevice -GroupId "00000000-0000-0000-0000-000000000000" -DeviceIdentifier "PC1" -PassThru
Remove-EntraGroupUser
Remove one or more users from an Entra group (Graph scopes: Group.ReadWrite.All, Directory.Read.All).
Syntax
Remove-EntraGroupUser [-GroupName <String>] [-GroupId <String>] -UserIdentifier <String[]> [-TreatInputAsId] [-PassThru]
| Parameter | Description | Required | Default |
|---|---|---|---|
GroupName | Target group display name. | Yes* | - |
GroupId | Target group object ID (use instead of GroupName). | Yes* | - |
UserIdentifier | UPN/display name/object ID. Pipeline accepted. | Yes | - |
TreatInputAsId | Treat every UserIdentifier as an object ID (skip name lookup). | No | False |
PassThru | Emit a status object per user. | No | False |
*Use either GroupName or GroupId.
Examples
"user1@contoso.com","user2@contoso.com" | Remove-EntraGroupUser -GroupName "Project Team"
Remove-EntraGroupUser -GroupId "00000000-0000-0000-0000-000000000000" -UserIdentifier "user1@contoso.com" -PassThru