Tuesday, 28 May 2019

Find Owners and Members of Mail-Enabled Security Groups using Powershell

Mail-enabled security group is nothing but the security group which also act as a distribution list. In Office 365 environment this group can be used to distribute messages as well as to grant access permissions to SharePoint resources.

Since this group is being used for dual purpose, Security (controlled by Azure AD) and Message distribution (controlled by Exchange Online), the group object will be maintained in both places Azure AD and Exchange Online. You can use Azure AD Admin portal (and Azure AD Powershell module) to manage azure ad related properties and use Exchange Online Admin center (and Exchange Online powershell module) to update exchange related attributes.

Note: Before proceed connect both Azure AD and Exchange Online powershell modules.

List mail-enabled security groups:

We can use the Get-AzureADGroup cmdlet to list only mail enabled security groups.
Get-AzureADGroup -Filter "SecurityEnabled eq true and MailEnabled eq true"
We can also use the Exchange Online powershell command Get-DistributionGroup to list mail enabled security groups.
Get-DistributionGroup -RecipientTypeDetails MailUniversalSecurityGroup

Find Owners of mail-enabled security groups

We can use the Azure AD powershell command Get-AzureADGroupOwner to list owners of security groups, but it will not list mail-enabled security group owners. So we can extract owners info from ManagedBy attribute in Get-DistributionGroup cmdlet.
Get-DistributionGroup -RecipientTypeDetails MailUniversalSecurityGroup |
Select DisplayName,ManagedBy

Find Members of mail-enabled security groups

We can use the Get-AzureADGroupMember cmdlet to retrieve members of Azure AD groups.
$group = Get-AzureADGroup -SearchString "TestSecurityGroup"
Get-AzureADGroupMember -ObjectId $group.ObjectId |select DisplayName, UserPrincipalName
You can use the below command to list members of all mail-enabled security groups.
$mailGroups = Get-AzureADGroup -Filter "SecurityEnabled eq true and MailEnabled eq true"
$Result = @()
$mailGroups | ForEach-Object {
$group = $_
Get-AzureADGroupMember -ObjectId $group.ObjectId | ForEach-Object {
$member = $_
$Result += New-Object PSObject -property @{ 
GroupName = $group.DisplayName
Member = $member.DisplayName
UserPrincipalName = $member.UserPrincipalName
}
}
}
$Result | Select GroupName,Member,UserPrincipalName
We can also use the Exchange powershell cmdlet Get-DistributionGroupMember to list members.
$mailGroups = Get-DistributionGroup -RecipientTypeDetails MailUniversalSecurityGroup
$Result = @()
$mailGroups | ForEach-Object {
$group = $_
Get-DistributionGroupMember -Identity $group.Identity | ForEach-Object {
$member = $_
$Result += New-Object PSObject -property @{ 
GroupName = $group.DisplayName
Member = $member.DisplayName
PrimarySmtpAddress = $member.PrimarySmtpAddress
}
}
}
$Result | Select GroupName,Member,PrimarySmtpAddress
You can export the result to CSV file using the command Export-CSV.
$Result | Export-CSV "C:\\Mail-Security-Group-Members.csv" -NoTypeInformation -Encoding UTF8

Advertisements
Advertisements

No comments:

Post a Comment