Add Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell Script

by

Let’s discuss how to Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell ScriptIf you’re an administrator working with Microsoft Intune or Microsoft Entra, creating users in Entra and adding them to specific groups is a routine part of your day. You may also frequently receive requests to add users to existing Microsoft Entra Microsoft 365 or security groups.

Manually adding users to Microsoft 365 or security groups has always been a frustrating experience for me. I’ve never enjoyed repetitive tasks, so I decided to automate this process using Microsoft Graph API and PowerShell scripting.

Groups empower resource owners and Microsoft Entra directory administrators to efficiently assign a predefined set of permissions to all members. Furthermore, directory or resource owners can delegate group management to individuals such as department heads or help desk admins, enabling them to add or remove members as needed.

In this article, we’ll explore how to add Microsoft Entra users to group memberships using Microsoft Graph API and PowerShell. It’s important to note that when adding multiple members in a single request through the API or script, you can include up to 20 entities , whether they are users, devices, service principals, or other resources.

Patch My PC

Add Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell Script – Core User Types in Entra ID

Microsoft Entra ID organizes identities into different user types to seamlessly manage access across internal teams and external collaborators. At its core are Members, who are typically employees added directly to the tenant and given broad access to organizational resources. Guests, in contrast, are users from outside the organization such as vendors, clients, or partners—who are brought in for specific collaboration scenarios and generally have limited access privileges.

Add Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell Script. Fig-01
Add Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell Script. Fig-01

Beyond these, Entra also accommodates External Members, users from other Entra tenants who are assigned member-level permissions within your environment, and External Guests, who remain at the guest level and often sign in using federated identity providers. This layered structure provides flexibility while maintaining strong boundaries between internal control and external engagement.

Understanding these differences is essential for effective access governance and automation. Members often hold elevated privileges and can assume administrative roles, while Guests are best suited for tightly scoped application or data access. When building automation workflows with tools like PowerShell or Microsoft Graph API, categorizing users by type becomes critical for targeting the right accounts and enforcing policies with precision.

What is Microsoft Graph?

I’ve already authored numerous articles explaining how Microsoft Graph works. But if you’re reading my content for the first time, let me walk you through it again. I recommend exploring my other articles to dive deeper into Microsoft Graph automation, they cover a wide range of use cases and practical workflows that can enrich your understanding. Driven by my passion for automation, I have always been intrigued by exploring Microsoft Graph API and PowerShell.

Microsoft Graph is an API (Application programming interface) that provides a single endpoint for accessing data, intelligence, and insights from Microsoft 365 and other Microsoft Cloud services. It provides a single endpoint, https://graph.microsoft.com, that enables access to various data and insights in the Microsoft cloud, including Microsoft 365, Windows, and Enterprise Mobility + Security

This Microsoft Graph API is designed to perform the same range of Intune operations as those available through the Azure Portal. By using Microsoft Graph, developers can build intelligent applications that leverage the power of Microsoft 365 and other Microsoft services to enhance productivity and collaboration.

How to Get Object ID of the Target Group

The below mentioned endpoint will retrieves the Group ID details for you. Here, you should note down the Object ID of the target group to proceed further.

  • Sign in to the Graph Explorer with your credentials.
  • Click on Run query after typing the URL below. You should use the GET API request method
https://graph.microsoft.com/v1.0/groups?$filter=displayName eq 'TEST-UserGroup'&$select=id,displayName

Make sure to replace the group name, i.e., TEST-UserGroup, with your group name. Within seconds of clicking Run query, you will receive a success message with the text ‘OK -200.’ 

PermissionDescriptionAdmin consent required
GroupMember.Read.AllAllows the app to list groups, read basic group properties and read membership of all your groups.Yes
Add Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell Script. Table 1

Add Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell Script. Table.01

The Response preview box will show the desired output.  You should have at least GroupMember.Read.All permission to run the query. Make a note of the Object ID of the target group.

Add Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell Script. Fig-02
Add Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell Script. Fig-02

How to Get Object ID of the Target User

Next, we need to retrieve the user’s Object ID using the endpoint below. You should use the GET API request method.

https://graph.microsoft.com/v1.0/users?$filter=displayName eq 'User'&$select=displayName,id

You should replace the user’s name, i.e., User, with your user’s display name. When you click on Run query, you will receive a success message with the text ‘OK -200.’ The Response preview box will show the desired output

You should have at least User.ReadWrite.All permission to run the query. Note down the Object ID of the target Device.

Add Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell Script. Fig-03
Add Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell Script. Fig-03

How to Add a User to an Intune Group

Let’s learn how to add a single Entra User  to an security group using Microsoft Graph API. Please add the selected device to the target group using below POST request.

https://graph.microsoft.com/v1.0/groups/{group-id}/members/$ref

Change the request method from GET to POST and paste the below JSON code in the Request Body. Make sure replace the User-id.

{ 
    "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{User-id}"
}
Add Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell Script. Fig-04
Add Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell Script. Fig-04

Click on Run query to execute the API call. Within few seconds of clicking Run query, you will receive a success message with the text No Content – 204. Response Preview panel will not have any output to display.

PowerShell Script to Add a User to an Intune Group

Let’s automate the complete process of adding a User to an Intune Group. The below code will prompts for a group name and user name to fetch its IDs. You must install the Microsoft Graph PowerShell Modules before you use this script.

NOTE! Use the Connect-MgGraph command to sign in with the required scopes. You'll need to sign in with an admin account to consent to the required scopes.
##########################################################################

#Add-SingleUsertoEntraGroup.ps1
#Author : Sujin Nelladath
#LinkedIn : https://www.linkedin.com/in/sujin-nelladath-8911968a/

############################################################################

#Connect to Microsoft Graph
Connect-Graph -Scopes "GroupMember.ReadWrite.All", "User.ReadWrite.All" 


# Define Microsoft Graph API endpoint
$GraphBaseURL = "https://graph.microsoft.com/v1.0"

# Function to get Group ID by name
function Get-GroupID {
    param ($GroupName)
    $GroupURL = "$GraphBaseURL/groups?`$filter=displayName eq '$GroupName'"
    $Group = Invoke-MgGraphRequest -Uri $GroupURL -Method GET 
    return $Group.value[0].id
    
}

# Function to get User ID by name
function Get-UserID {
    param ($UserName)
    $UserURL = "$GraphBaseURL/users?`$filter=displayName eq '$UserName'"
    $User = Invoke-MgGraphRequest -Uri $UserURL -Method GET
    return $User.value[0].id
}

# Prompt user for Group Name
$GroupName = Read-Host "Enter Intune group name"
$GroupName = $GroupName.Trim()
$GroupID = Get-GroupID -GroupName $GroupName

if (!$GroupID) 
    {
        Write-Host "Group not found. Exiting."; 
        exit   
    }

# Prompt user for Device Name
$UserName = Read-Host "Enter User name"
$UserID = Get-UserID -UserName $UserName
if (!$UserID)
    { 
        Write-Host "User not found. Exiting.";
        exit 
    }

# Add Device to Group
$AddMemberURL = "$GraphBaseURL/groups/$GroupID/members/`$ref"
$Body = @{ "@odata.id" = "$GraphBaseURL/directoryObjects/$UserID" } | ConvertTo-Json
Invoke-MgGraphRequest -Uri $AddMemberURL  -Method POST -Body $Body

Write-Host "User $UserName successfully added to group $GroupName"

I have uploaded the PowerShell script to the my GitHub repository. You may access it from there for your further use.

Download : Add-SingleUsertoEntraGroup.ps1

PowerShell Script to Add Multiple Users to an Intune Group

Let’s learn how to complete process of adding multiple User to an Intune Group. The below code supports comma-separated user input. And, it Validates each user before attempting the add.

##########################################################################
#Add-MultipleUsersToEntraGroup.ps1
#Author : Sujin Nelladath
#LinkedIn : https://www.linkedin.com/in/sujin-nelladath-8911968a/
##########################################################################

# Connect to Microsoft Graph
Connect-Graph -Scopes "GroupMember.ReadWrite.All", "User.ReadWrite.All"

# Define Microsoft Graph API endpoint
$GraphBaseURL = "https://graph.microsoft.com/v1.0"

# Function to get Group ID by name
function Get-GroupID {
    param ($GroupName)
    $GroupURL = "$GraphBaseURL/groups?`$filter=displayName eq '$GroupName'"
    $Group = Invoke-MgGraphRequest -Uri $GroupURL -Method GET
    return $Group.value[0].id
}

# Function to get User ID by name
function Get-UserID {
    param ($UserName)
    $UserURL = "$GraphBaseURL/users?`$filter=displayName eq '$UserName'"
    $User = Invoke-MgGraphRequest -Uri $UserURL -Method GET
    return $User.value[0].id
}

# Prompt for group name
$GroupName = Read-Host "Enter Intune group name"
$GroupName = $GroupName.Trim()
$GroupID = Get-GroupID -GroupName $GroupName

if (!$GroupID) {
    Write-Host "Group not found. Exiting."
    exit
}

# Prompt for multiple user names (comma-separated)
$UserNamesInput = Read-Host "Enter user display names separated by commas"
$UserNames = $UserNamesInput -split "," | ForEach-Object { $_.Trim() }

foreach ($UserName in $UserNames) {
    $UserID = Get-UserID -UserName $UserName
    if ($UserID) {
        $AddMemberURL = "$GraphBaseURL/groups/$GroupID/members/`$ref"
        $Body = @{ "@odata.id" = "$GraphBaseURL/directoryObjects/$UserID" } | ConvertTo-Json
        Invoke-MgGraphRequest -Uri $AddMemberURL -Method POST -Body $Body
        Write-Host "User $UserName added to group $GroupName" -ForegroundColor Green
    } else {
        Write-Host "User $UserName not found. Skipping." -ForegroundColor Red
    }
}

I have uploaded the PowerShell script to the my GitHub repository. You may access it from there for your further use.

Download : Add-MultipleUsersToEntraGroup

As per the response message, the user has been successfully added to Intune Group. Sign in to the Microsoft Intune Admin portal and verify it.

Add Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell Script. Fig-05
Add Microsoft Entra Users to Group Membership using Microsoft Graph API and PowerShell Script. Fig-05

I trust that this article will significantly benefit you and your organization. I appreciate your patience in reading this post. I look forward to seeing you in the next post. Keep supporting the HTMD Community.

Need Further Assistance or Have Technical Questions?

Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.

Author

About the Author: Sujin Nelladath, Microsoft Graph MVP with over 11 years of experience in SCCM device management and Automation solutions, writes and shares his experiences with Microsoft device management technologies, Azure, DevOps and PowerShell automation.

Leave a Comment