Security Groups are a crucial part of any system as they define the authorization on the available resources for the users requesting access. They are also important to categorize permission boundaries for the set of users at once. Thus, it is really important to streamline the process of managing Security Groups for any system.
Though the management activities are repetitive and boring, if we need to repeat same steps again and again over the period of time.
Thankfully we can automate these repetitive tasks, using PowerShell Scripts, which can take the inputs from CSV or text files for the input values and perform necessary actions.
In this article, we will discuss the automation scripts, which are required to manage Security Groups in Office 365, using PowerShell.
If you want to follow along, then the prerequisites for this article are given below.
- Creating a O365 account
- Configuring PowerShell for Office 365
If the prerequisites given above are not met, then I would recommend you read one of my earlier articles “Office 365: How to Configure PowerShell for O365” to get to know the steps of installing prerequisites.
Let's login to O365 account and visit Admin Center
Navigate to Admin Center by clicking Admin tile on the Application dashboard, as shown below.
Now, in the upcoming sections, we will see the respective PowerShell commands to deal with each of the management tasks.
How to Add new Security Groups
Navigate Admin Center => Groups
For the first time in my case, there are no Security Groups present since this is a new O365 account.
Run New-MsolGroup command, where DisplayName specifies the name of the Security Group and Description specifies the description for the group, as shown below.
New-MsolGroup -DisplayName “Test Security Group” -Description “This is created for testing.”
Once the command gets executed successfully, navigate Admin Center => Groups to verify that new group has been added.
It is worth noting that Default Group Type for any group added, using the command given above will be Security.
How to export all Security Groups
We can export all the Security Groups from the O365 account by using Get-MsolGroup command, as shown below.
Get-MsolGroup
Once the command is executed successfully, we can see the details of all the available Security Groups on the Host Window. Alternatively, we can export the results to text files by piping the results to Out-File command.
How to export all Security Groups filtered by Group properties
We can export a filtered set of Security Groups from O365 account based on any property of the Group. In the example given below, I am using DisplayName property to filter the results, as shown below.
Get-MsolGroup | Where-Object {$_.DisplayName -eq “Test Security Group”}
Once the command is executed successfully, we can see the details of the specific Security Groups matching the filter criteria.
How to export all Security Groups filtered by Group Type
We can export Security Groups, which are based on its type also by using GroupType. In the example given below, we are going to filter all Security Groups, which are of type Security from O365 account.
Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}
Once the command is executed successfully, we can see the details of all Security Group of type Security and with DisplayName = Test Security Group.
How to add users to Security Groups
Run the command given below to check the existing members, which are present in Security Group.
$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}
Get-MsolGroupMember -GroupObjectId $securityGroup.ObjectId
Once the command is executed successfully, we will get the list of users already added to the group
We can see the same information by editing the group with in the Browser, as shown below.
We can add new members to Security Group by using the command given below.
Create an object, which requires Security Group
$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}
Create an object of the member depicted by UserPrincipalName parameter, which needs to be added to the group
$member = Get-MsolUser -UserPrincipalName [email protected]
Now, use the command given below to add the member to the group by specifying Group Object ID & Member Object ID
Add-MsolGroupMember -GroupObjectId $securityGroup.ObjectId -GroupMemberType “User” -GroupMemberObjectId $member.ObjectId
Once the command gets executed successfully, we can see a new member has been added to the group.
We can verify the result of an operation by using PowerShell command.
$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}
Get-MsolGroupMember -GroupObjectId $securityGroup.ObjectId
We can also verify the result of an operation by the Browser, as shown below.
How to remove users from Security Groups
We can we remove the users from the specific security group by using set of commands given below.
Create the object of the respective group from which the user needs to be removed
$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}
Create the object of the respective member, which needs to be deleted from the group
$member = Get-MsolUser -UserPrincipalName [email protected]
Then we can use “Remove-MsoLGroupMember” command to remove the member depicted by “Groupmemberobjectid” parameter from the group depicted by “GroupObjectId” parameter as shown below
Remove-MsoLGroupMember -GroupObjectId $securityGroup.ObjectId -GroupMemberType User -Groupmemberobjectid $member.ObjectId
Once the command gets executed successfully, we can see the respective member gets deleted from Security Group in question.
Now, we can verify the delete operation by using PowerShell command in question
$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}
Get-MsolGroupMember -GroupObjectId $securityGroup.ObjectId
We can also verify the same via Browser by editing Security Group, as shown below.
How to remove Security Groups
We can use the command given below to remove Security Groups.
Create an object to the respective group.
$securityGroup = Get-MsolGroup -GroupType “Security” | Where-Object {$_.DisplayName -eq “Test Security Group”}
Execute “Remove-MsolGroup” command to remove the group depicted by objectid parameter, as shown below.
Remove-MsolGroup -objectid $securityGroup.ObjectId
On execution, this command will ask you for the confirmation on delete action.
Enter your choice Y to continue and N to cancel.
Once the command is executed successfully, we can go back to Groups section in Admin Center to verify Delete Action.
All the above tasks can be automated by incorporating CSV files to receive an input from and perform the respective actions.
Hope, you find it helpful.