Table of Contents
Create Dynamic Microsoft 365 Groups and Teams with PowerShell
No sooner had I published the article about creating dynamic administrative units with PowerShell, the first email arrived asking if the same was possible for dynamic Microsoft 365 groups. The answer is “of course,” but with the caveat that it’s not just a matter of some minor updates to the script.
That being said, the outline for the script to create dynamic groups is broadly the same:
- Find the licensed users in the tenant and extract a list of departments. The departments should be accurate and some care should be taken to eliminate inconsistencies. For instance, some people might be listed as belonging to IT while others belong to the Information Technology department. Decide on one value and apply it to all.
- You might not want to create groups for all departments. The script defines an array of excluded departments that are removed from the set to process.
- Find the set of dynamic Microsoft 365 groups. We need this information to check if a dynamic group already exists for a department.
- For each department, check if a group already exists. If not, define some parameters for the new group, including the membership rule that Entra ID uses to calculate the group members, and run the New-MgGroup cmdlet to create the group.
- Following a successful creation, proceed to team-enable the new group by running the New-MgTeam cmdlet. This is an optional step, but seeing that Teams is the heaviest workload for Microsoft 365 groups, it seemed like a good thing to include.
Let’s examine some of the steps.
Scripting the Creation of a Dynamic Microsoft 365 Group
Here’s an example of creating a new dynamic Microsoft 365 group for the department whose name is stored in the $Dept variable:
Write-Host ("Checking groups for department {0}" -f $Dept)
$Description = ("Dynamic Microsoft 365 group created for the {0} department on {1}" -f $Dept, (Get-Date))
$DisplayName = ("{0} Dynamic group" -f $Dept)
$MailNickName = ("Dynamic.{0}.Group" -f ($Dept -replace " ",""))
$MembershipRule = '(User.Department -eq "' + $Dept +'")'
If ($DisplayName -in $Groups.DisplayName) {
Write-Host ("Group already exists for {0}" -f $Dept) -ForegroundColor Red
} Else {
# Create the new dynamic Microsoft 365 Group
$NewGroup = New-MgGroup -DisplayName $DisplayName -Description $Description `
-MailEnabled:$True -SecurityEnabled:$False `
-MailNickname $MailNickName -GroupTypes "DynamicMembership", "Unified" `
-MembershipRule $MembershipRule -MembershipRuleProcessingState "On"
}
Wait Before Progressing to Teams
Flushed with the successful creation, you might want to rush to team-enable the new group. However, it’s best to wait 10-15 seconds before proceeding to allow Teams to learn about the new group from Entra ID. If you attempt to team-enable a group immediately after creation, you’ll probably see an error like this:
Failed to execute Templates backend request CreateTeamFromGroupWithTemplateRequest. Request Url: https://teams.microsoft.com/fabric/emea/templates/api/groups/bab7a3a8-2e30-4996-9405-48ca395b99c6/team, Request Method: PUT, Response Status Code: NotFound, Response Headers: Strict-Transport-Security: max-age=2592000
x-operationid: a228258204c3466dbd64c4d88373a416
x-telemetryid: 00-a228258204c3466dbd64c4d88373a416-82a9b5015f332574-01
X-MSEdge-Ref: Ref A: FC01DAADBD0D4A1A9ECBB9826707CC17 Ref B: DB3EDGE2518 Ref C: 2023-10-04T15:00:51Z
Date: Wed, 04 Oct 2023 15:00:52 GMT
ErrorMessage : {"errors":[{"message":"Failed to execute GetGroupMembersMezzoCountAsync.","errorCode":"Unknown"}],"operationId":"a228258204c3466dbd64c4d88373a416"}
Team-Enabling a Group
To team-enable a group, run the New-MgTeam cmdlet and provide a hash table containing information to allow Teams to find the new group (the Graph URI for the group) plus the Teams template to use. This code does the trick.
$GroupUri = "https://graph.microsoft.com/v1.0/groups('" + $NewGroup.Id + "')"
$NewTeamParams = @{
"template@odata.bind"="https://graph.microsoft.com/v1.0/teamsTemplates('standard')"
"group@odata.bind"="$($GroupUri)"
}
$NewTeam = New-MgTeam -BodyParameter $NewTeamParams
If ($NewTeam) {
Write-Host ("Successfully team-enabled the {0}" -f $NewGroup.DisplayName)
}
Checking Groups Post-Creation
Figure 1 shows some of the dynamic Microsoft 365 groups created in my tenant. Note the groups for “Information Technology” and the “IT Department.” Obviously my checking of user departments was deficient prior to running the script. The fix is easy though. Decide on which department name to use and update user accounts to have that. Then remove the now-obsolete group. Entra ID will make sure that the accounts with reassigned departments show up in the correct group membership.
In this case, only one account had “IT Department,” so I quickly updated its department property with:
Update-MgUser -UserId Jack.Smith@office365itpros.com -Department "Information Technology"
I then removed the IT Department dynamic group:
$Group = Get-MgGroup -Filter "displayName eq 'IT Department Dynamic Group'" Remove-MgGroup -GroupId $Group.Id
Soon afterwards, the membership of the Information Department Dynamic group was correct (Figure 2) and all was well.
You can download the complete script from GitHub. It would be easy to adapt the code to run as an Azure Automation runbook to scan for new departments and create groups as necessary.
Simple PowerShell Results in Big Benefits
Scripting the creation of dynamic Microsoft 365 groups for each department in a tenant isn’t too difficult. The membership rule is simple but could be expanded to include different criteria. Once the groups are created, they should be self-maintaining. That is, if you make sure that the department property for user accounts is accurate.
Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things like dynamic Microsoft 365 groups work.