Continuing the “how to do this with the new Azure AD PowerShell module” series, in this article we will explore some useful cmdlets that quickly list all Groups a user is member of, or is configured as Owner/Manager.
To get the latest version of the AzureAD PowerShell module, click here. To get the documentation on installing and using the module, click here.
Getting group membership
As a reminder, here’s how to quickly get a list of all groups a user is member of via the EO Remote PowerShell cmdlets:
Get-Recipient -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'"
where ‘CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations, DC=EURPR03A001, DC=prod, DC=outlook, DC=com’ is the DistinguishedName of the user, obtainable for example via:
Get-User user@domain.com | select -ExpandProperty DistinguishedName
Now, there’s also one caveat you might want to consider when using the above cmdlet. Namely, the Get-Recipient cmdlet in EO doesn’t return Office 365 Groups objects (the new, “modern” groups) unless you specifically include them. An updated version of the above cmdlet that accounts for Groups will look like this:
Get-Recipient -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" -RecipientTypeDetails GroupMailbox,MailUniversalDistributionGroup,MailUniversalSecurityGroup
and will return all Distribution groups, Mail-enabled security groups and Office 365 groups the user is member of. Dynamic distribution groups are something else you might want to consider, but those aren’t a subject for the current article. You can add other recipient types to the above example as needed.
If you want to return membership of Exchange Role Groups as well, use the Get-Group cmdlet:
Get-Group -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'"
So, after covering the Exchange side, can we also do the same with the Azure AD cmdlets? The answer is yes, thanks to the Get-AzureADUserMembership cmdlet. Here’s an example:
Get-AzureADUserMembership -ObjectId 584b1b38-888c-4b85-8a71-c9766cb4791b
As usual, one probably wants to avoid using ObjectIds, so here’s an example that takes care of that:
Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership
The next problem you will run into is handling the output, which is also full of ObjectIds. We can use calculated properties to work around this:
Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership | ? {$_.ObjectType -ne "Role"} | % {Get-AzureADGroup -ObjectId $_.ObjectId | select DisplayName,ObjectType,MailEnabled,SecurityEnabled,ObjectId} | ft
where we have also excluded the Role groups from the output. If you want to keep them, change the above cmdlet to:
Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership | % {Get-AzureADObjectByObjectId -ObjectId $_.ObjectId | select DisplayName,ObjectType,MailEnabled,SecurityEnabled,ObjectId} | ft DisplayName ObjectType MailEnabled SecurityEnabled ObjectId ----------- ---------- ----------- --------------- -------- Company Administrator Role c25d133f-4944-481a-84d2-6e41d6a101f4 test Group False True a1813eff-a80b-4ac9-bbdc-8e0821b76809 empty Group True False 74f09795-5028-4f89-bba3-f6f0e0d084b4 DG Group True False c91cd116-a8a5-443b-9ae1-e1f0bade4a23 USG Group True True 9e629d33-d655-440c-89af-15738e59e667
Overall, the number of objects returned by the Get-AzureADUserMembership cmdlet should be greater compared to the Exchange cmdlets, because of the inclusion of objects such as Security groups and User Roles.
Get list of objects the user is Owner for
Similarly to group membership, we can also use PowerShell cmdlets to quickly get a list of all objects a user is configured as Owner for (or Manager in the Exchange world). Here’s how to do this with EO remote PowerShell:
Get-Recipient -Filter "ManagedBy -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" -RecipientTypeDetails GroupMailbox,MailUniversalDistributionGroup,MailUniversalSecurityGroup,DynamicDistributionGroup
To get the Owner information with the Azure AD PowerShell, one can use the Get-AzureADUserOwnedObject cmdlet. Example use of the cmdlet:
Get-AzureADUserOwnedObject -ObjectId 584b1b38-888c-4b85-8a71-c9766cb4791b
or the more useful version sans the ObjectId obscurity:
Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserOwnedObject ObjectId DisplayName Description -------- ----------- ----------- 471b526b-a084-46c0-a649-986c4e2cb89d First group First group b6b27af5-7b64-4bd5-9dc5-8886974dcb51 All Users
A note is due here – the Azure AD cmdlet doesn’t look at the “ManagedBy” property. If you want to include Exchange related recipients in the output, such as (dynamic) distribution groups, use the Exchange cmdlet above.
An updated version of the article can be found here, with examples utilizing the Microsoft Graph SDK for PowerShell.
thank you
I need some help with the Filter. The “Members -eq ‘DN'” works fine when the DN does not contain single quote. When it does, the Get throws an exception. Can someone please show me, if possible, how to escape the single quote in the filter?
P.S. Let ‘s not discuss the merit of NOT having special characters in a name. 🙂
Thanks.
Escape any special chars as detailed here: https://www.michev.info/blog/post/737/using-filters-against-objects-containing-special-characters
As of January of 2022 the sad reality is that you still need to perform two calls — one to Graph and one to EO to get all group members/owners:
1) Graph won’t show you distro groups
2) EO won’t show you security groups (not mail-enabled)
Luckily, now with REST-compatible interface for EO we can talk directly to https://outlook.office365.com/adminapi/beta/$tenantId/InvokeCommand without the extra luggage of PSremoting (that is — we finally can use a platform/language of our choice), but we still need two queries.
^^^^ Correction, the comment above applies only to group OWNERS, not members. All MEMBERSHIPS of a given account can be obtained with one request — https://graph.microsoft.com/beta/users/{userID}/memberOf/ (determining the group type in this case would require some heuristics with mailEnabled, securityEnabled and groupTypes attributes). Apologize for multiple messages.
You still don’t get the full picture unfortunately, for example the ManagedBy property for DGs will not be returned by Graph. And the list of owners is separate from the ManagedBy list :/
Hi Vasil,
Your article helped me a lot but, how to get the Distribution group as type because the AAD one is only giving Microsoft 365 groups in output. Could you please help for the other Distribution group type with AAD command it will be very helpful.
Thanks!
Use the Exchange cmdlets (Get-Recipient), not the AAD ones.
I have 100+ DL list and need to check particular person ownership/approver details of them. is this possible?
we have set a particular person as approver for multiple DL list. need report all of them DL’s.
Still helpful five years later, thank you for this!
Very good information, helped me when I needed it. Thanks Vasil.
I just want to be able to export the User groups to CSV>>
oh, but, is that a DG, or a Group created from Teams or what?= type of 365 Group are they a member of?
Many tenants getting 365, but still need someone that can Powershell to reach all the buttons!
There’s a more robust solution here: https://practical365.com/how-to-inventory-membership-of-exchange-groups-recursively/
hello! i need your help
i have 270 groups in my organisation
suddenly the manager asked me to add him as owner in all groups.
is there an easy way to do it?? using powershell or so?
please help
yes, there is..
use Add-teamuser command, and write it on excel
Paste it to PS and run it.
Thats really awesome
Any idea how I can do the same with Azure CLI? That limitation to .NET (_not_ “Core”) is a serious impediment on Linux / OS X.
I use a win10 jumphost (a virtual machine), install powershell 7.2 on it, set up ssh access to it (protect access by some AD group and firewall if needed), and then allow PS-remoting to it using
Enter-PSSession -hostname
Any commands that follows will be able to use the full windows powershell capabilities.
In short, steps to do are:
Install OpenSSH Server and Client:
OpenSSH for Windows is available directly in Windows 10 (1809 or higher) and Windows Server 2019 as an optional feature.
Install PowerShell 7 on all systems
Configure the SSH subsystem to host a PowerShell process on the remote machine
Configure password or key-based authentication
more infor here : https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ssh-remoting-in-powershell-core?view=powershell-7.2
This is simple and quick – good stuff!
This worked brilliantly for 3 of our O365 admins, but when I checked for a normal user, no results. I tried multiple users with no luck.
We sync on premise AD to O365 (AzureAD) and I was hoping to find which a simple command to see which groups (cloud or synched) a user was a member of. For the admins it looked great. I also noticed that my queries for the admins only work with our very basic LANID. None of my attempts to use the full UPN (user@domain.com), e-mail address, hierarchical naming, etc. did a thing.
Any thoughts on how I can make this work consistently?
The Exchange method (Get-Recipient) will only work if you use the full DN of the user. The AAD one can be used with a variety of identifiers, but in general you should be using the objectID.
Thank you, it is helpful for me. Is it possibles to export the same like all users and DL they are members of.
Ex.
Name DL
Kumaresan IT – Tech,IT – dept
Jacop All – Techies
Sure, simply put a foreach loop and go over every user.
Really good, impressed
How can we do the same to get SharePoint groups cross sites/subsites ?
Same question! and Teams.
Basically, where does a single user have access to?
Teams uses Office 365 Groups as membership, the above examples work just fine.
How would you perform the same task including Dynamic groups?
As dynamic DGs don’t have a preset membership, there is no shortcut to include them in the list of groups give user is a member of. Instead you have to cycle over each DDG and expand the membership based on the recipient filter, then compare it against the user at hand.
Thank you, this article does help me in much simpler way than others. Love it!!