Dynamic Group Membership is the Obvious But Not the Only Option

A member of the Microsoft Technical Community asks if it’s possible to automatically add newly-created accounts to an existing group. The initial response offered by the community focused on dynamic groups – either dynamic distribution lists or dynamic Azure AD groups.

It’s a reasonable suggestion. Dynamic distribution groups are part of base Exchange Online functionality and don’t require any additional licenses. Dynamic Azure AD groups require Azure AD Premium P1 licenses for every account covered by dynamic membership. In both cases, the trick is to make sure that the query used by Exchange Online or Azure AD to determine group membership finds the new account.

Dynamic Group Membership for Exchange Online Mailboxes

It’s possible to create a dynamic distribution group based on a simple query like “all mailboxes” that will automatically include new accounts (if they have mailboxes). Figure 1 shows the UX in the Exchange admin center (EAC) to define the membership of a new dynamic distribution list.

The list works and email sent to it arrives in the inbox of every mailbox in the tenant, including shared mailboxes. This is because the recipient filter generated by Exchange Online for the dynamic distribution group selects all mail-enabled objects with a recipient type of ‘UserMailbox’ and only filters out some system mailboxes.

A dynamic distribution list like this is said to use a “canned” recipient filter because Exchange Online generates the filter based on the choices the administrator makes when they create the new list. You can only edit canned filters through the EAC. Exchange Online gives greater flexibility through the support of custom recipient filters. These filters can only be created using PowerShell, but they’re much more flexible in terms of selecting the set of mail-enabled objects to address through the list. A simple custom recipient filter to find just user mailboxes is shown below together with a test with the Get-Recipient cmdlet to prove that the filter works.

$Filter = "{RecipientTypeDetails -eq 'UserMailbox'}"
Get-Recipient -RecipientPreviewFilter $Filter

Dynamic Group Membership for Azure AD User Accounts

Dynamic Azure AD groups can be used with Microsoft 365 groups and Teams. These groups use different membership filters (query rules) to find the set of target objects. Instead of mail-enabled objects like mailboxes, the query against Azure AD focuses on user accounts rather than mailboxes. However, the same capability exists in that it’s possible to create a dynamic Azure AD group that includes all user accounts, including those newly created.

Again, the key is to construct a query rule that finds all user accounts – of the right type. When Azure AD is used for a Microsoft 365 tenant, there are many non-interactive user accounts created to give identities to objects such as shared mailboxes and room mailboxes. These are all considered “member” accounts and it’s easy to build a rule to find all member accounts. However, you probably want a more refined version that finds just the accounts used by humans.

Azure AD doesn’t have a human filter, so we need to construct something that Azure AD can use to find matching accounts in its directory. One approach is to use licenses for the check. You could look for accounts assigned Office 365 E3 licenses but would have to check for accounts with F1 or E5 licenses too. An easy change is to look for accounts that have any license that has at least one enabled service. For instance, accounts with Office 365 E3 or E5 licenses with the Exchange Online, Teams, Planner, or SharePoint Online service would all match. Figure 2 shows a test of the rule against a “real” user account and some other user accounts belonging to room and shared mailboxes. You can see that the real account passes the validation test while the others do not.

Azure AD accounts used by shared mailboxes must be assigned licenses when they need more than 50 GB of mailbox storage or an online archive. These accounts satisfy the membership rule, but that’s perhaps not important. If it is, some tweaking of the membership rule is necessary to remove the shared mailbox accounts.

Dynamic Group Membership of Org-Wide Teams

If your organization is smaller than 10,000 accounts, new Azure AD accounts automatically join the org-wide teams in the tenant (a tenant can support up to five org-wide teams). Org-wide teams are a special form of dynamic Microsoft 365 group whose membership is controlled by Teams rather than Azure AD, so Azure AD Premium P1 license are not required.

The PowerShell Alternative to Manage Dynamic Group Membership

If you don’t want to use a dynamic object, it’s certainly possible to use standard distribution lists or Microsoft 35 groups. In this scenario, the tenant takes the responsibility for maintaining group membership. Usually, PowerShell is used to add new accounts to group membership. You don’t have to worry about removing deleted accounts from the group as this happens automatically following an account deletion.

To add a new user to a distribution list, use the Add-DistributionGroupMember cmdlet:

Add-DistributionGroupMember -Identity "All Tenant Mailboxes" -Member Lotte.Vetler@office365itpros.com

To add a new user account to a Microsoft 365 group, either run the Add-UnifiedGroupLinks cmdlet (from the Exchange Online management module) or the New-MgGroupMember cmdlet (from the Microsoft Graph PowerShell SDK):

Add-UnifiedGroupLinks -Identity "All Tenant Accounts" -LinkType Member -Links Lotte.Vetler@office365itpros.com

New-MgGroupMember -GroupId "107fe4dd-809c-4ec9-a3a1-ab88c96e0a5e" -DirectoryObjectId (Get-MgUser -UserId Lotte.Vetler@office365itpros.com).Id

If the tenant creates user accounts programmatically with PowerShell, these commands can be added to that script. If not, a background scheduled job could find accounts that don’t exist in group membership and add them. See this article for more information about group management with the Microsoft Graph PowerShell SDK.

Many Possibilities to Ponder

A simple question required a long answer. That’s because the questioner didn’t specify what type of group that they wanted to add new accounts to. In any case, it’s nice to be able to debate the possibilities and then settle on the best course of action to take.

Insight about the various options to manage dynamic group membership for new accounts doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

No Way to Suppress Messages

A reader asked if it’s possible to stop Teams displaying a system-generated message when someone joins a team. It’s a reasonable question. In the past, I have pointed out the dangers of adding someone to a group too early as people can then discover that a new employee is joining the company. Conversely, it’s not good when people learn about the departure of a valued colleague through an informational message posted in Teams to say that the person has left a team.

Things used to be worse. Before May 2020, Teams posted messages about members joining and leaving a team in the team’s General channel. The introduction of the channel information pane gave these system messages a new home. Unless people open the information pane, they don’t see messages about membership changes, new owners and channels, and other developments, so there’s a fair chance that the addition of a new employee to a team will go unnoticed.

The Many Ways to Add New Members to a Team

To see any of the methods to add a new member do not result in a system message in the information pane, I tested by adding a new member through:

• The Teams client.
• The Add-UnifiedGroupLinks cmdlet from the Exchange Online management module.
• The Add-AzureADGroupMember cmdlet from the Azure AD module.
• The Add-TeamUser cmdlet from the Microsoft Teams module.

I didn’t test using the Microsoft Graph API. The Add-TeamUser cmdlet is a wrapper around the Graph API call, so the results observed for that cmdlet are likely the same for a Graph call. System messages are retrievable using Graph API calls.

Azure AD is the directory of record. Add-AzureADGroupMember updates the Azure AD group object used by the team. Add-UnifiedGroupLinks updates the Azure AD group object and the group in the Exchange Online directory using a dual write. Add-TeamUser is like adding a new member through the client because the action updates both the team roster (to make the new team member immediately available) and Azure AD. Rosters (lists of members and owners) are how Teams organizes and manages membership.

Changes made to Azure AD or by other Microsoft 365 workloads synchronize with Teams through a background process called Microsoft Teams Aad Sync, introduced in 2020 to make the synchronization process between Teams and Azure AD more efficient and effective. Note that it can take several hours before a system message about a new member shows up. Apart from the need to run background synchronization, clients also need to refresh their cache.

In a nutshell, no matter how you add or remove a tenant or guest account, the change synchronizes back to Teams and the system message appears in the information pane (Figure 1).

Different system messages in the information pane appear depending on the method used to add an account. If you see that someone added a member (like “Tony Redmond has added Niamh Smith to the team”), it’s an indication that the action occurred through the Teams client, the Add-TeamUser cmdlet, or the Graph API (all of which execute the same code). On the other hand, if you see that someone joined the team, the source is Azure AD or Exchange Online PowerShell.

No Control Over System Messages

There’s no system or team setting to tweak to turn off system messages about member updates. Granular control would be best, but I guess Microsoft ignored me when I previously complained about the lack of control over system message publication, so I’ve submitted it again to the new Teams Feedback portal. Please vote there if you support the idea of having a team-level setting to control the publication of system messages.

In the interim, if you don’t want other users to discover that someone has joined a team, either wait until an appropriate time before adding them as a member or consider assigning a new display name to that person’s account until you’re ready to reveal their presence. For instance, I changed the name of a new user as follows:

Set-AzureADUser -Identity James.Baker@office365itpros.com -DisplayName "The Maestro of Office 365"

After waiting for a few hours to allow Teams to pick up details of the user account, I added them to a team. Sometime later, the information pane duly displays the system message for the addition (Figure 2):

This technique works if you want to pre-add new users to teams before they join the organization if you use suitably obscured display names, like UserAXXAD19948. Naturally, you should update their display name after they’re active in the organization. However, it’s not a great approach for people who already work there as other workloads pick up and use the changed display name.

Small Detail

The answer to the original question is that you can’t stop Teams posting system messages to inform team members about membership changes. No control is available at a system or individual team level, which is a pity. But life isn’t perfect, and this is a small detail in the overall scheme of things – unless you inadvertently reveal the name of a new employee before they join the company.

Learn how to exploit the Office 365 data available to tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Outlook Groups Still Popular

When Microsoft launched Office 365 Groups in November 2014, the plan was to use these objects to replace distribution groups. Like all plans, events took over and forced change. Distribution groups remain intact (and Microsoft is updating their functionality) and the role of Office 365 Groups (renamed Microsoft 365 Groups in April 2020) has evolved to become a membership and identity service for apps like Teams, Power BI, and Yammer. However, devotees of Outlook can still use Microsoft 365 Groups in Outlook and OWA (where they have the moniker “Outlook Groups”), complete with a dedicated menu bar, presence in Outlook favorites, and section in Outlook resources. Outlook mobile also supports Outlook Groups.

An Outlook group has the following characteristics:

• It hosts email-based discussions between group members (optionally, you can allow non-members to email the group).
• The group appears in Exchange address lists, like the GAL and OAB (Teams hides the Microsoft 365 Groups it uses from Exchange address lists).

Like other Microsoft 365 Groups, an Outlook group has a SharePoint Online team site, shared OneNote notebook, and can connect to Planner.

Subscribers and Copies

An Outlook groups distribute copies of messages sent to the group based on its subscriber list. The AutoSubscribeNewMembers group setting controls if Exchange adds new group members to the subscriber list automatically. Another setting called AlwaysSubscribeMembersToCalendarEvents controls if group members receive copies of calendar events (sometimes it’s necessary to update the groups used by Teams to change these settings).

Users can control if they want to be on a group’s subscriber list with the Follow in Inbox feature. Figure 1 shows the Outlook desktop settings; OWA presents the settings differently, but the same effect applies. In this instance, I am not a subscriber to the group because I don’t receive all email and events. However, I do receive copies of any replies posted to messages I send to the group.

Senders and Copies

In 2017, Microsoft changed the way Groups processed email when it delivered copies to subscribers to stop delivering a copy to the message sender for new messages and replies. On the surface, the change was reasonable because senders have copies of messages in their Sent Items folder and senders can always add themselves as a CC or BCC recipient if they want Exchange to deliver a copy of a specific message to their inbox. Well-intentioned as the change was, it upset many people who liked receiving a copy of anything they posted to groups.

InA few months ago, Microsoft introduced a way to allow users to receive copies of their messages posted to Outlook groups. The requirements are:

• The user or an Exchange administrator must update their mailbox settings to set EchoGroupMessageBackToSubscribedSender to True. As the name implies, the setting controls if the Exchange transport service echoes messages sent to a group by a subscribed sender. By default, this setting is False.
• The user must subscribe to each group for which they wish to receive copies of their posted messages.

I can’t find any message center notification covering the use of the EchoGroupMessageBackToSubscribedSender setting (it’s entirely possible that I missed it). However, from the “common tasks to manage Microsoft 365 groups” page, I can’t find any other Microsoft reference to the cmdlet except in an October 29 change in GitHub to a page covering Hybrid deployment. Other references exist elsewhere, such as this August 31 Stack Overflow discussion. It’s curious that Microsoft doesn’t document this capability more thoroughly.

User Updates

User can update their mailbox settings through OWA options. Go to the Groups section and set the Send me a copy of email I send to a group option (Figure 2).

Administrators can do the same by running the Set-MailboxMessageConfiguration cmdlet.

Set-MailboxMessageConfiguration -Identity Kim.Akers -EchoGroupMessageBackToSubscribedSender $True

In either case, the setting covers all Outlook groups and can take up to an hour before the change is effective and Exchange will deliver a copy of any message posted by the user to the groups they subscribe to.

Users can choose if they want to subscribe to group and now have control over if they receive copies of their own messages. I am loathe to recommend that administrators should step in to update subscriber settings on a group-wide basis because it means that you would overwrite the settings for people who have opted out of receiving copies of group email and events. However, a need might arise to make everyone a subscriber and update their mailbox settings to allow them to receive copies of their own messages. If so, this PowerShell works.

# Update group subscriber list with all members and set their mailboxes to receive copies of messages posted to Outlook groups
$Group = Read-Host "What group do you want to update?"
Write-Host "Checking" $Group "..."
$GroupId = (Get-UnifiedGroup -Identity $Group -ErrorAction SilentlyContinue).ExternalDirectoryObjectId
If (!($GroupId)) { Write-Host "Sorry... we can't find" $Group "... exiting" ; break}
[array]$GroupMembers = Get-UnifiedGroupLinks -Identity $GroupId -LinkType Member
Write-Host "Adding group members as subscribers to" $Group
Add-UnifiedGroupLinks -Identity $GroupId -LinkType Subscriber -Links $GroupMembers.PrimarySmtpAddress
Write-Host "Updating mailbox settings for group members to allow them to receive copies of their messages posted to the group"
$GroupMembers | ForEach-Object { Set-MailboxMessageConfiguration -Identity $_.ExternalDirectoryObjectId -EchoGroupMessageBackToSubscribedSender $True }

One interesting thing about this code is that you do not need to call Add-UnifiedGroupLinks to add each group member to the subscriber list. If you have an array of members, which we do after calling Get-UnifiedGroupLinks to fetch the member list, you can use that as the input and Add-UnifiedGroupLinks will multiple members with one call.

More Updates for Groups

In closing, let me note two other changes coming soon to Outlook Groups. First, MC302487 (December 8) says that users assigned the Send As permission for a group will no longer have to select the group name when sending messages from the group. This change applies to OWA only and roll-out begins in mid-January. Second, MC303512 (December 10) brings equally important news that instead of displaying a folder icon for an Outlook group, OWA will use the Groups icon from mid-December (this change hasn’t turned up in my targeted release tenant yet). I’m sure the new icon will make all the difference.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Ongoing Frustration for Teams Users

A certain amount of frustration is evident in Teams users who schedule meetings and add teams as meeting attendees, only to find that the team members don’t receive individual meeting invitations. The same problem happens for channel meetings.

When you add a team as a meeting attendee (Figure 1), you add an Microsoft 365 group, and group settings dictate which (if any) of the members of that group receive meeting invitations. Creating a channel meeting adds the meeting to the group calendar, but team members don’t receive invitations unless they are explicitly added as a meeting participant.

As I explain in this post, the reason why this happens is due to the way Teams manages members of the Microsoft 365 group. Basically, Teams adds members to the membership list, which you expect, but it does not add the members to the group’s subscriber list. Because they are not subscribers, members do not receive copies of messages (like calendar events) sent to the group. There’s a lack of joined-up thinking between Teams and Microsoft 365 groups on this point that might be due to the fact that Groups were originally designed to serve Outlook before Microsoft changed their primary focus to be a membership and identity service for Microsoft 365 apps.

No doubt Microsoft is busily working out how to make things better. What seems clear is that people naturally assume that if they schedule a meeting with a team, the members of the team should receive invitations. This stance is eminently reasonable, even if it’s not currently implemented in Teams.

Scripting a Solution

What can you do about this? Well, as suggested in a response to Teams User Voice, you (in reality, a tenant administrator) can update group settings to automatically subscribe new users to receive event notifications and add existing users to the group’s subscriber list. Justin Horne contributed a script to do the job. I’ve taken the liberty of updating the script by:

• Only process Microsoft 365 Groups enabled for Teams. Then filter to find the groups where members are not auto-subscribed or where members are not auto-subscribed to calendar events.
• Update group settings to auto-subscribe new members to receive calendar events like meeting notifications. Note: guest members are always subscribed to groups.
• Update the group subscriber list with existing members. You’ll see that I use the external directory object identifier to reference the group and the primary SMTP address to reference members. This is to ensure that the values are unique.
• Reporting updates in a PowerShell list which is exported to a CSV file at the end of the script.

Updating subscriber lists for groups is not a swift process, so updating many groups will take time. You’ll also need to run the script on a regular basis to find and update new groups.

Code to Update Group Subscribers

Here’s the code. You can download a copy from GitHub. Feel free to improve it!

# UpdateSubscribersInGroupsUsedByTeams.PS1

CLS
Write-Host "Finding team-enabled Groups to process..."
$Groups = Get-UnifiedGroup -Filter {ResourceProvisioningOptions -eq "Team"} -ResultSize Unlimited
$Groups = $Groups | ? {$_.AutoSubscribeNewMembers -eq $False -Or $_.AlwaysSubscribeMembersToCalendarEvents -eq $False}

$Report = [System.Collections.Generic.List[Object]]::new() # Create output file 
#initialize progress bar
$ProgDelta = 100/($Groups.count)
$CheckCount = 0 ; $GroupNumber = 0 ; CLS
ForEach ($Group in $Groups) {
   $GroupNumber++
   $CheckCount += $ProgDelta
   $GroupStatus = "Processing " + $Group.DisplayName + " ["+ $GroupNumber +"/" + $Groups.Count + "]"
   Write-Progress -Activity "Updating subscriber information for group" -Status $GroupStatus -PercentComplete $CheckCount
   # Update group so that new members are added to the subscriber list and will receive calendar events
   Set-UnifiedGroup -Identity $Group.ExternalDirectoryObjectId -AutoSubscribeNewMembers:$True -AlwaysSubscribeMembersToCalendarEvents
   # Get current members and the subscribers list
   $Members = Get-UnifiedGroupLinks -Identity $Group.ExternalDirectoryObjectId -LinkType Member
   $Subscribers = Get-UnifiedGroupLinks -Identity $Group.ExternalDirectoryObjectId -LinkType Subscribers
   # Check each member and if they're not in the subscriber list, add them
   ForEach ($Member in $Members) {
     If ($Member.ExternalDirectoryObjectId -notin $Subscribers.ExternalDirectoryObjectId) { # Not in the list
    #    Write-Host "Adding" $Member.PrimarySmtpAddress "as a subscriber"
         Add-UnifiedGroupLinks -Identity $Group.ExternalDirectoryObjectId -LinkType Subscribers -Links $Member.PrimarySmtpAddress 
         $ReportLine = [PSCustomObject] @{
            Group      = $Group.DisplayName
            Subscriber = $Member.PrimarySmtpAddress
            Name       = $Member.DisplayName}
         $Report.Add($ReportLine) }   
     } #End ForEach
} #End ForEach
$Report | Export-CSV -NoTypeInformation c:\temp\SubscriberGroupUpdates.csv
Write-Host "All done. Details of updates are in c:\temp\SubscriberGroupUpdates.csv"

Remember that you’ll need to run this script periodically to update newly created teams. Alternatively, use a script to create teams and include the necessary code to update the group for each team. Also, while some team members will like to receive invitations for channel meetings, others will hate the idea. Be prepared to remove these users from the group’s subscribers list to stop them receiving invitations. You can do this by running the Remove-UnifiedGroupLinks cmdlet. For example, this command removes an account from a group’s subscribers list.

Remove-UnfiedGroupLinks -Identity "Group to Remove User from" -LinkType Subscriber -Links John.Smith@office365itpros.com

Optional and Required Attendees

Team members who receive invitations sent to channel meetings because they are subscribed to the group for calendar events are considered optional attendees. This is because they are not included in the set of required attendees and effectively only learn about the meeting because they are subscribers. If you want team members to be required attendees, you need to schedule a personal meeting and invite the team.

Describing solutions to problems in Office 365 tenants is what the Office 365 for IT Pros eBook is all about. Subscribe to support our project and allow us to continue helping people to probe the dark corners of Office 365.

Want Dynamic Groups But Don’t Want to Pay for Azure Active Directory Premium Licenses? Here’s How to Do the Job

A reader says that they like the notion of dynamic Office 365 groups, but they don’t want to pay for the Azure Active Directory premium licenses needed to use the feature. As you might recall, dynamic groups have their membership controlled by queries executed against Azure Active Directory. Every account that comes within the scope of a query must be licensed.

Instead of using dynamic groups, our reader is willing to run scheduled background jobs to populate the membership. They need some guidance as to how to approach building the script to manage membership for a group. As an example to help them, this post describes how to manage group membership based on Office location. Our first step is therefore to grab a set of mailboxes with the right value for the Office attribute and store it in a PowerShell variable. Because I’m based in Dublin, I’ll use it as the Office location.

$Mbx = (Get-Mailbox -Filter {Office -eq "Dublin"} -ResultSize Unlimited)

Using the Filter parameter is important because this forces Exchange Online to process the query on the server, and we get the right results faster. That is, if your directory is correctly populated.

Adding Members to an Office 365 Group

To update the membership of an Office 365 group, we use the Add-UnifiedGroupLinks cmdlet. The simplest method is to use the variable holding the set of mailboxes as the input, passing the distinguished name of each mailbox as the link. To test everything, I created a new group called Dublin Employees and then ran this code to populate its membership.

Add-UnifiedGroupLinks -Identity DublinEmployees -LinkType Member -Links $Mbx.DistinguishedName

To check that the correct membership has been added, we can run the Get-UnifiedGroupLinks cmdlet:

Get-UnifiedGroupLinks -Identity DublinEmployees -LinkType Member

Maintaining Membership

All easy so far, but the issue is now how to maintain the membership. We don’t have to worry about deleted mailboxes as they lose membership when they are removed. But we do need to add new employees whose accounts match the filter and remove people who no longer match.

Adding new members is straightforward because we can use the same commands to form a set of matching mailboxes and run the Add-UnifiedGroupLinks command again. Exchange Online will ignore mailboxes that already exist in the membership.

Mailboxes that no longer match can be removed by running the Remove-UnifiedGroupLinks cmdlet. However, we must figure out what members to remove. One way to do this is to check the current membership against the set of mailboxes that should be members and remove any members that no longer qualify. In this code snippet, we create a hash table and populate it with the set of mailboxes (it’s faster to check against a hash table if the membership is large). We then check each of the members in the current membership against the hash table. Any member that isn’t found in the table doesn’t work in the Dublin office, so we go ahead and remove them.

# Remove lingering members from the group after they leave the Dublin office.
$Members = (Get-UnifiedGroupLinks -Identity DublinEmployees -LinkType Member | Select Alias, DistinguishedName, DisplayName)
$MembersHash = @{}
# Populate MembersHash with the current set of mailboxes from the Dublin office
ForEach ($M in $Mbx) {$MembersHash.Add($M.DistinguishedName, $M.Alias) }
# Check each member in the current membership. If they're not in the mailbox hash table, remove them from the membership
ForEach ($Member in $Members) {
  If ($MembersHash.ContainsKey($Member.DistinguishedName) -eq $False) {
     Write-Host "Removing" $Member.DisplayName "from Dublin Employees membership" 
     Remove-UnifiedGroupLinks -Identity DublinEmployees -Linktype Member -Links $Member.Alias -Confirm:$False }
}

Dealing With Group Owners

One small glitch. Group owners are also members, but a group owner might not belong to the Dublin office. The command fails if you run Remove-UnifiedGroupLinks to remove an owner from the member list without removing them as an owner first. As we don’t want to see any nasty errors, we should incorporate a check for owner status before we try to remove a member. Here’s the change I made to the script.

# Include check for group owners before we delete a member
ForEach ($Member in $Members) {
  If ($MembersHash.ContainsKey($Member.DistinguishedName) -eq $False) {
    If ((Get-UnifiedGroupLinks -id "Dublin Employees" -LinkType Owner | Select Alias) -Match $Member.Alias) {
       Write-Host "Can't remove" $Member.DisplayName "as member - they are group owner." }
    Else {
       Write-Host "Removing" $Member.DisplayName "from Dublin Employees membership" 
       Remove-UnifiedGroupLinks -Identity DublinEmployees -Linktype Member -Links $Member.Alias -Confirm:$False }
}}

Because Teams uses Office 365 Groups to manage the membership of teams, the same approach works for Teams without the need to rewrite to use the cmdlets in the Teams PowerShell module.

More Work to Do

I’m sure other bells and whistles could be added to make the code work the way an organization wants, but that’s not the purpose of this post. I set out to answer the question and give some guidance about the commands used to maintain Office 365 group membership. There’s enough here for serious programmers (more serious than I am) to get their teeth into the problem and craft a production-quality solution.

For more information about using PowerShell to manage Office 365 Groups (and Teams), read the comprehensive chapter in the Office 365 for IT Pros eBook.

A question on the Microsoft Technical Community asked whether it’s possible to add the members from a mail group to a team. Taking “mail group” to mean “distribution list,” the answer is “of course with PowerShell.”

The big gotcha to remember is that distribution lists allow any mail-enabled recipient to be a member while Office 365 Groups and Teams only support mailboxes. Any code must therefore exclude objects like shared mailboxes, public folders, and mail contacts.

Read DL, Write Group

With that in mind, here’s some code to read the membership from a distribution list and add the mailboxes found in the list to an Office 365 group. As Teams and Groups share the same membership, the new members show up in Teams too. As written, the code uses cmdlets in the Exchange Online PowerShell module.

$i = 0
$Members = (Get-DistributionGroupMember -Identity "Company Sales")
$TeamId = (Get-UnifiedGroup -Identity "Sales Team").ExternalDirectoryObjectId
Write-Host "Processing Members"
ForEach ($M in $Members) {
  # Is this a mailbox
  If ($M.RecipientTypeDetails -eq "UserMailbox") {
    Write-Host "Adding" $M.DisplayName "to Sales Team"
    Add-UnifiedGroupLinks -Identity $TeamId -LinkType Member -Links $M.Alias
    # $UPN = (Get-Mailbox -Identity $M.Alias).UserPrincipalName
    # Add-TeamUser -GroupId $TeamId -User $UPN -Role Member
    $i++ }
}

Using the Teams PowerShell cmdlets

The two commented-out lines perform the update using the Add-TeamUser cmdlet, which is equally valid. However, remember to:

• Load the Teams PowerShell module.
• Pass the User Principal Name for the new team member (that’s why the call to Get-Mailbox is present).
• Only team owners can update team membership. This restriction is likely to be removed soon, but it exists now.

Dynamic Groups

The note in the Microsoft Technical Community said that people spend a lot of time updating the distribution group membership. One response recommended dynamic groups, which is a perfectly valid option. The only downside is that you still need to maintain the directory so that the queries used for the dynamic groups return the right data. And you need Azure AD Premium P1 licenses for every account that comes within the scope of a query used for a dynamic group. If you have EM&S licenses, you don’t need to worry about Azure AD Premium as these licenses are included in that bundle.

Read more about using PowerShell with Office 365 Groups (and Teams) in Chapter 14 of the Office 365 for IT Pros eBook. Distribution lists are covered in Chapter 7.

PowerShell to the Rescue

A question was asked about how to add an administrator account to every Microsoft 365 Group in an Office 365 tenant to allow the administrator access to the content in all groups.

This is a straightforward operation with PowerShell. This code finds all the groups in a tenant and adds a nominated administrator account to the membership of each group as a member. Change the LinkType  value to be “Owner” if you want the administrator to be a group owner. We also update the CustomAttribute14 property with a value that we can use later.

$AdminAccount = "Administrator@office365itpros.com"
Write-Host "Finding Groups..."
$Groups = (Get-Recipient -RecipientTypeDetails GroupMailbox -ResultSize Unlimited | Select DisplayName, Alias)
Write-Host "Processing" $Groups.Count "groups"
ForEach ($G in $Groups) {
    Write-Host "Processing" $G.DisplayName
    Add-UnifiedGroupLinks -Identity $G.Alias -LinkType Member -Links $AdminAccount 
    Set-UnifiedGroup -Identity $G.Alias -CustomAttribute14 "Admin"}

The code uses the Get-Recipient cmdlet instead of the Get-UnifiedGroup cmdlet to fetch a list of Microsoft 365 Groups. The reason why is that Get-Recipient is much faster at returning a simple set of group objects than Get-UnifiedGroup is because Exchange Online has less processing to perform. All we need is the group alias and displayname, so there’s no need to incur the overhead of Get-UnifiedGroup.

Handling New Groups

The code above is a one-time operation to process all the existing groups in the tenant. Of course, new groups will be created afterwards, and if we want the admin account to be The reason why we update CustomAttribute14 is to be able to find groups that are already processed because we don’t want to process them again. In fact, it wouldn’t make much difference if we ran the same code time after time because the Add-UnifiedGroupLinks cmdlet will complete and tell you that no settings of the group are changed if you try to add a member who already exists.

Applying a Filter

The code needed to find groups that are not yet processed adds a filter to exclude those where CustomAttribute14 is set to the value:

Get-Recipient -RecipientTypeDetails GroupMailbox -Filter {CustomAttribute14 -ne "Admin"} -ResultSize Unlimited

Replace the line in the original script with the line with the filter and you can find and update new groups.

One Script Does The Job

In fact, you could use the same script with the filter to do the job from the start as the first time it’s run, the filter will find all the groups in the tenant.

$AdminAccount = "Administrator@Office365itpros.com"
Write-Host "Finding Groups..."
$Groups = (Get-Recipient -RecipientTypeDetails GroupMailbox -Filter {CustomAttribute14 -ne "Admin" -ResultSize Unlimited | Select DisplayName, Alias)
Write-Host "Processing" $Groups.Count "groups"
ForEach ($G in $Groups) {
   Write-Host "Processing" $G.DisplayName
   Add-UnifiedGroupLinks -Identity $G.Alias -LinkType Member -Links $AdminAccount -ErrorAction SilentlyContinue
   Set-UnifiedGroup -Identity $G.Alias -CustomAttribute14 "Admin"}

You’d need to set up a schedule to look for and update groups if you really want to make sure that administrators have access to all groups in the tenant, but that’s easily done.

Isn’t PowerShell wonderful?

For more information about using PowerShell to manage Office 365 Groups, read Chapters 13 and 14 of the Office 365 for IT Pros eBook.

Confusion About How to Add Multiple Users with New-UnifiedGroup

Updated 22-Dec-2023

The New-UnifiedGroup cmdlet from the Exchange Online management module creates a new Microsoft 365 Group). In the past, Microsoft’s documentation included the statement that:

“You can specify multiple owners separated by commas.“

Microsoft has since removed the statement from its documentation but the fact remains that people sometimes still need to nominate multiple owners when they create Microsoft 365 groups. This article covers how to accomplish that goal.

Creating Multiple Owners with New-UnifiedGroup

Many Exchange Online cmdlets accept an array of values as input for a parameter. If this was true for the New-UnifiedGroup cmdlet, it would mean that you could pass an array containing the names of multiple group owners when creating a new Microsoft 365 group. For example:

New-UnifiedGroup -Alias MyGroup -DisplayName "My Group" -Owner "Tony@Office365itpros.com", "Paul@Office365itpros.com"

But you can’t. PowerShell responds with:

New-UnifiedGroup: Cannot process argument transformation on parameter ‘Owner’. Cannot convert value “System.Collections.Generic.List1[System.String]” to type “Microsoft.Exchange.Configuration.Tasks.RecipientIdParameter”. Error: “Object of type ‘System.Collections.Generic.List1[System.String]’ cannot be converted to type ‘Microsoft.Exchange.Configuration.Tasks.RecipientIdParameter’.”

The error is unexpected, not only because it goes against the grain of “normal” Exchange Online cmdlet processing but also because you can pass the names of multiple members when creating a new Microsoft 365 group. It appears that the code used to create owners is different to that used for members. This is understandable in a way because before someone can be a group owner, they must first be added as a group member.

The ManagedBy Workaround

Fortunately, two simple workarounds exist. One is so-so, the other is much better. The first is to add multiple owners by specifying them in the ManagedBy parameter. Here’s an example:

New-UnifiedGroup -Alias "Banking.Ivestigations" -DisplayName "Banking Investigations" -Owner Tony.Redmond -ManagedBy Jessica.Chen, Tony.Redmond
Add-UnifiedGroupLinks -Identity "Banking.Ivestigations" -Links Jessica.Chen, Tony.Redmond -LinkType Members

You can see that I have specified both the Owner and ManagedBy parameter. If you don’t pass a value in Owner, Exchange Online sets the signed in user as the group owner along with the people specified in ManagedBy (a property inherited from distribution lists). The net result is that Exchange Online adds three group owners. However, Exchange Online doesn’t add the people specified in the ManagedBy property as group members, which is why I use the Add-UnifiedGroupLinks cmdlet to add those users after the creation of the new group. It is easy to forget this step and create a situation where you have multiple group owners who are not group members. This is acceptable to Entra ID and won’t cause an immediate problem, but it’s not the way that Microsoft 365 Groups are designed to work and that’s why I don’t recommend using this approach.

The Add-UnifiedGroupLinks Workaround

The second (and recommended) method is to create the new group with New-UnifiedGroup and then add as many owners as you want afterwards with Add-UnifiedGroupLinks. Just make sure that the people you add as owners are first added as members because a group owner has to be a member before they can be an owner. In this example, I declare the set of group owners in an array and then pass the array to the Add-UnifiedGroupLinks cmdlet:

[array]$Owners = "Ken.Bowers", "Michelle.Dubois", "Andy.Ruth", "Brian.Weakliam"
Add-UnifiedGroupLinks -Identity MyGroup -LinkType Member -Links $Owners
Add-UnifiedGroupLinks -Identity MyGroup -LinkType Owner -Links "$Owners

The values supplied to the Add-UnifiedGroupLinks cmdlet must be something that Exchange Online can resolve. This can be a mailbox alias, primary SMTP address, external directory object id (the identifier for the user’s Entra ID account) display name, or even a distinguished name.

Learn about using Exchange Online, Microsoft 365 Groups, PowerShell, and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.