azure powershell azure-active-directory microsoft-graph-api

How to create dynamic groups in AzureAD/EntraID from a csv import?

I'm trying to create a number of dynamic groups from the department name attribute in AD, then create and add to a security group. This info would be in 2 columns in a csv (department and groupname).

I put together this script but it comes back and asks if it is mailenabled and the mailnickname. I thought the -MailEnabled $false would handle this. What am I missing here?

# Loop through each department in the CSV
foreach ($dept in $departments) {
    # Get the group name from the GroupName column
    $groupName = $dept.GroupName

    # Create the dynamic group
    New-AzureADMSGroup -DisplayName $groupName
                       -MailEnabled $false
                       -SecurityEnabled $true
                       -GroupTypes "DynamicMembership"
                       -MembershipRule "user.department -eq '$dept.Department'"
                       -MembershipRuleProcessingState "On"

    Write-Host "Created dynamic group: $groupName"
}

Solution

Parameters in a new-line without a line continuation (back-tick `) will just result in an error. You will need to put a backtick after ending of each line or use splatting (this is the cleaner approach).

The other problem is that mailNickname is required, you can see that in the API Doc:

Property Type Description

mailNickname String The mail alias for the group, unique for Microsoft 365 groups in the organization. Maximum length is 64 characters. This property can contain only characters in the ASCII character set 0 - 127 except the following: @ () \ [] " ; : <> , SPACE. Required.

Property	Type	Description
mailNickname	String	The mail alias for the group, unique for Microsoft 365 groups in the organization. Maximum length is 64 characters. This property can contain only characters in the ASCII character set 0 - 127 except the following: `@ () \ [] " ; : <> , SPACE`. Required.

And the third issue will be in your dynamic group membership rule:

"user.department -eq '$dept.Department'"

You're not allowing it to expand to the .Department corresponding value, you should use Subexpression operator $( ):

"user.department -eq '$($dept.Department)'"

In summary:

# Loop through each department in the CSV
foreach ($dept in $departments) {
    # Create the dynamic group
    $newAzureADMSGroupSplat = @{
        DisplayName                   = $dept.GroupName
        MailNickname                  = # You must use a value here, could use `$dept.GroupName`
        MailEnabled                   = $false
        SecurityEnabled               = $true
        GroupTypes                    = 'DynamicMembership'
        MembershipRule                = "user.department -eq '$($dept.Department)'"
        MembershipRuleProcessingState = 'On'
    }
    New-AzureADMSGroup @newAzureADMSGroupSplat
    Write-Host "Created dynamic group: $groupName"
}