Skip to main content

Quickly list all groups a user is member of or owner of in Office 365

Mussadiq
  • Updated

Continuing the “how to do this with the new Azure AD PowerShell module” series, in this article we will explore some useful cmdlets that quickly list all Groups a user is member of, or is configured as Owner/Manager.

Getting group membership

As a reminder, here’s how to quickly get a list of all groups a user is member of via the EO Remote PowerShell cmdlets:

1

Get-Recipient -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'"

where ‘CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations, DC=EURPR03A001, DC=prod, DC=outlook, DC=com’ is the DistinguishedName of the user, obtainable for example via:

1

Get-User user@domain.com | select -ExpandProperty DistinguishedName

Now, there’s also one caveat you might want to consider when using the above cmdlet. Namely, the Get-Recipient cmdlet in EO doesn’t return Office 365 Groups objects (the new, “modern” groups) unless you specifically include them. An updated version of the above cmdlet that accounts for Groups will look like this:

1

Get-Recipient -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" -RecipientTypeDetails GroupMailbox,MailUniversalDistributionGroup,MailUniversalSecurityGroup

and will return all Distribution groups, Mail-enabled security groups and Office 365 groups the user is member of. Dynamic distribution groups are something else you might want to consider, but those aren’t a subject for the current article. You can add other recipient types to the above example as needed.

If you want to return membership of Exchange Role Groups as well, use the Get-Group cmdlet:

1

Get-Group -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'"

So, after covering the Exchange side, can we also do the same with the Azure AD cmdlets? The answer is yes, thanks to the Get-AzureADUserMembership cmdlet. Here’s an example:

1

Get-AzureADUserMembership -ObjectId 584b1b38-888c-4b85-8a71-c9766cb4791b

As usual, one probably wants to avoid using ObjectIds, so here’s an example that takes care of that:

1

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership

The next problem you will run into is handling the output, which is also full of ObjectIds. We can use calculated properties to work around this:

1

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership | ? {$_.ObjectType -ne "Role"}  | % {Get-AzureADGroup -ObjectId $_.ObjectId | select DisplayName,ObjectType,MailEnabled,SecurityEnabled,ObjectId} | ft

where we have also excluded the Role groups from the output. If you want to keep them, change the above cmdlet to:

 

 

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership | % {Get-AzureADObjectByObjectId -ObjectId $_.ObjectId | select DisplayName,ObjectType,MailEnabled,SecurityEnabled,ObjectId} | ft

 

DisplayName           ObjectType MailEnabled SecurityEnabled ObjectId

-----------           ---------- ----------- --------------- --------

Company Administrator Role                                   c25d133f-4944-481a-84d2-6e41d6a101f4

test                  Group      False       True            a1813eff-a80b-4ac9-bbdc-8e0821b76809

empty                 Group      True        False           74f09795-5028-4f89-bba3-f6f0e0d084b4

DG                    Group      True        False           c91cd116-a8a5-443b-9ae1-e1f0bade4a23

USG                   Group      True        True            9e629d33-d655-440c-89af-15738e59e667

Overall, the number of objects returned by the Get-AzureADUserMembership cmdlet should be greater compared to the Exchange cmdlets, because of the inclusion of objects such as Security groups and User Roles.

Get list of objects the user is Owner for

Similarly to group membership, we can also use PowerShell cmdlets to quickly get a list of all objects a user is configured as Owner for (or Manager in the Exchange world). Here’s how to do this with EO remote PowerShell:

1

Get-Recipient -Filter "ManagedBy -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" -RecipientTypeDetails GroupMailbox,MailUniversalDistributionGroup,MailUniversalSecurityGroup,DynamicDistributionGroup

To get the Owner information with the Azure AD PowerShell, one can use the Get-AzureADUserOwnedObject cmdlet. Example use of the cmdlet:

1

Get-AzureADUserOwnedObject -ObjectId 584b1b38-888c-4b85-8a71-c9766cb4791b

or the more useful version sans the ObjectId obscurity:

1

2

3

4

5

6

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserOwnedObject

 

ObjectId                             DisplayName      Description

--------                             -----------      -----------

471b526b-a084-46c0-a649-986c4e2cb89d First group      First group

b6b27af5-7b64-4bd5-9dc5-8886974dcb51 All Users

A note is due here – the Azure AD cmdlet doesn’t look at the “ManagedBy” property. If you want to include Exchange related recipients in the output, such as (dynamic) distribution groups, use the Exchange cmdlet above.

Comments

0 comments

Please sign in to leave a comment.