Monday, 27 May 2019

Find and List Security Groups and Members in Office 365 using Powershell

Two types of security groups are supported in Office 365, normal security group and mail-enabled security group. Both groups are mainly used for granting access to SharePoint resources, the mail-enabled security group can be used to distribute messages as well as to grant access permissions to resources. In this post, I am going to share powershell script to list and export both security groups and their owners and members.

We can use the Azure AD powershell cmdlet Get-AzureADGroup to list all type of groups, by applying proper Filter with this command we can retrieve both type of security groups.

Before proceed run the below command to connect Azure AD powershell module.
Connect-AzureAD

List all security groups:

The below command lists both normal security groups and mail-enabled security groups.
Get-AzureADGroup -Filter "SecurityEnabled eq true" | Select DisplayName,MailEnabled,ObjectId

List mail-enabled security groups:

We need to add the field MailEnabled in filter to list only mail enabled security groups.
Get-AzureADGroup -Filter "SecurityEnabled eq true and MailEnabled eq true"

List pure security groups alone:

Get-AzureADGroup -Filter "SecurityEnabled eq true and MailEnabled eq false"

Find owners of all security groups:

We can use the command Get-AzureADGroupOwner to retrieve owners of each group.
$group = Get-AzureADGroup -SearchString "TestSecurityGroup"
Get-AzureADGroupOwner -ObjectId $group.ObjectId |select DisplayName, UserPrincipalName
Run the below command to retrieve all security groups and their owner details.
$groups = Get-AzureADGroup -Filter "SecurityEnabled eq true"
$Result = @()
$groups | ForEach-Object {
$group = $_
$Owners = Get-AzureADGroupOwner -ObjectId $group.ObjectId |select DisplayName
$Result += New-Object PSObject -property @{ 
GroupName = $group.DisplayName
Owners = $Owners.DisplayName -join ","
}
}
$Result | Select GroupName,Owners
Note: The command Get-AzureADGroupOwner lists only owners of security groups and it will not list mail-enabled security group owners. We can use the Exchange Online powershell cmdlet Get-DistributionGroup to get owners of mail enabled groups.
Get-DistributionGroup -Identity "MailSecGroup" | Select DisplayName,ManagedBy
List owners of all mail-enabled groups :
Get-DistributionGroup -RecipientTypeDetails MailUniversalSecurityGroup | Select DisplayName,ManagedBy

Export members of all security groups:

We can use the command Get-AzureADGroupMember to retrieve members of an Azure AD group.
$group = Get-AzureADGroup -SearchString "TestSecurityGroup"
Get-AzureADGroupMember -ObjectId $group.ObjectId |select DisplayName, UserPrincipalName
You can use the below command to list members of all security groups.
$groups = Get-AzureADGroup -Filter "SecurityEnabled eq true"
$Result = @()
$groups | ForEach-Object {
$group = $_
Get-AzureADGroupMember -ObjectId $group.ObjectId | ForEach-Object {
$member = $_
$Result += New-Object PSObject -property @{ 
GroupName = $group.DisplayName
Member = $member.DisplayName
UserPrincipalName = $member.UserPrincipalName
}
}
}
$Result | Select GroupName,Member,UserPrincipalName
You can export the result to CSV file using the command Export-CSV.
$Result | Export-CSV "C:\\Security-Group-Members.csv" -NoTypeInformation -Encoding UTF8

Advertisements
Advertisements

No comments:

Post a Comment