Active Directory & Office 365 Reporting Tool

New-MgGroupMemberByRef – Add Users to Azure AD Group using Powershell. Do you want to simplify the process of adding users to Azure Active Directory Groups in your Azure tenant? Look no further as we introduce New-MgGroupMemberByRef, a powerful yet straightforward command to add users to Azure AD Groups via the Microsoft Graph PowerShell module.

This incredible commandlet saves you time and makes managing groups in your Azure Active Directory environment easy. In this article, we dive deep into how New-MgGroupMemberByRef transforms your admin experience, making managing user access to Azure AD groups in your organization more manageable than ever.

To use the New-MgGroupMemberByRef command, you must install Microsoft.Graph.Groups PowerShell module. 

First I show you steps how to to install the module. Then how to use the Connect-MgGraph Command to connect to your Azure tenant. 

Furthermore, I also explain the syntaxes and parameters of our focus command for this article – New-MgGroupMemberByRef. Finally, I share real life examples and applications demonstrating this command’s use to add users to Azure AD groups. 

Step 1: Install the Microsoft Graph PowerShell Modules

The Microsoft Graph provides admins access to the data in Microsoft 365. 

One of these modules is in Microsoft.Graph.Groups module that offers different cmdlets admins need to create and manage Azure AD groups via PowerShell

In addition to Microsoft.Graph.Groups, you also need Microsoft.Graph.Users. This is because you may need the Get-MgUser command to retrieve the user data required to add them to Azure AD groups. 

To install and download Microsoft.Graph.Groups and Microsoft.Graph.Users PowerShell modules, follow the steps below:

1. Search “powershell” (without the quotes) – Windows PowerShell is selected as the best match. Then, click “Run as Administrator” to open PowerShell. 

When you click “Run as Administrator,” Windows prompts you to authorize the app to make changes to your device – click Yes

By default, Windows 10 or 11 PowerShell Execution Policy denies access to running commands downloaded from the internet. This policy protects your PC from running harmful scripts from sources you do not trust. 

2. So, to bypass this default policy, open a new instance of PowerShell by explicitly specifying the RemoteSigned ExecutionPolicy. 

Curious to learn more about PowerShell Execution Policies? Run the – get-help about_execution_policies – command on PowerShell console. 

					powershell.exe -ExecutionPolicy RemoteSigned

3. PowerShell console runs remote scripts and commands, installs and downloads Microsoft.Graph.Groups and Microsoft.Graph.Users modules by running the commands below – one at a time. 

					Install-Module -Name Microsoft.Graph.Groups
Import-Module Microsoft.Graph.Groups
Install-Module -Name Microsoft.Graph.Users
Import-Module Microsoft.Graph.Users

Finally, run the Get-Command command, specifying the Module parameter as Microsoft.Graph.Groups and Microsoft.Graph.Users to confirm that the modules are available on your PC. 

If you have successfully installed the modules, the last command should return a bunch of results – displaying all the cmdlets in the modules. 

					Get-Command -Module Microsoft.Graph.Groups, Microsoft.Graph.Users

Step 2: Authenticate to Azure AD with the Connect-MgGraph Command

The next step to using the New-MgGroupMemberByRef command to add users to the Azure AD group using Powershell is to authenticate and connect to your Azure tenant – granting the Microsoft Grap access to your tenant. 

You need the Connect-MgGraph command for this. Remember to specify the Scopes parameter. 

This required parameter allows you to provide the scopes you need during your Microsoft Graph Azure tenant connection session.

So, the first step is to list all the cmdlets you need to perform tasks in Azure AD. In that regard, we need the New-MgGroupMemberByRef and Get-MgUser cmdlets to add users to Azure groups. 

However, since I need to create a new group to demonstrate adding users to groups, I also need to run the New-MgGroup cmdlet in my session. 

So, next step is to run the Find-MgGraphCommand command to determine the scopes you need to specify when you run the Connect-MgGraph Command.

Follow these steps to authenticate to your Azure AD tenant. 

1. Execute the Find-MgGraphCommand command below to list the scopes you need. 

					Find-MgGraphCommand -command New-MgGroup, Get-MgUser, New-MgGroupMemberByRef | Select -First 1 -ExpandProperty Permissions

If you do not need to run the New-MgGroup command to create new Azure Active Directory groups, run this command instead. 

					Find-MgGraphCommand -command New-MgGroupMemberByRef | Select -First 1 -ExpandProperty Permissions

Unfortunately, the last command does not return the scopes required to run the New-MgGroupMemberByRef command. I suspect that this could be a bug. 

However, from my experience you require the GroupMember.ReadWrite.All scope to successfully run the New-MgGroupMemberByRef command.  

Therefore, based on the result of my first Find-MgGraphCommand above and the information I provided in the last paragraph, I need the following scopes for my commands:

GroupMember.ReadWrite.All, Group.ReadWrite.All, and Directory.ReadWrite.All

2. Therefore, I run the Connect-MgGraph command with the above scopes.  

					Connect-MgGraph -Scopes GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All

When you run the command, PowerShell displays a sign-in dialogue requesting your Azure login email address. Enter the email address and click Next.

3. Next, enter the password for your Azure account and click Sign in

4. Finally, grant Microsft Graph PowerShell access to your Azure tenant by selecting “Consent on behalf of your organization,” then click Accept.

It is a good idea to confirm that you have the correct scope for your session. To do this, run the Get-MgContext command. 

					Get-MgContext | Select-Object -ExpandProperty Scopes

Step 3: Learn the Syntaxes of the New-MgGroupMemberByRef Cmdlet

To successfully use the New-MgGroupMemberByRef PowerShell command to add users to Azure AD Groups, it is critical to understand its syntaxes (available commands) and parameters (command options). 

The New-MgGroupMemberByRef command has four syntaxes. Here are the 4 syntaxes with only the required parameters. 

					New-MgGroupMemberByRef -GroupId (String) [-OdataId (String)]
New-MgGroupMemberByRef -GroupId (String) [-BodyParameter (IReferenceCreate)]
New-MgGroupMemberByRef -InputObject (IGroupsIdentity) [-OdataId (String)]
New-MgGroupMemberByRef -InputObject (IGroupsIdentity) [-BodyParameter (IReferenceCreate)]

To reduce the complexity of the syntaxes, I omitted optional parameters. However, if you want to learn the optional parameters, visit the online page for the New-MgGroupMemberByRef cmdlet. Alternatively, run the Get-Help command with the Online parameter, as shown below. 

					Get-Help New-MgGroupMemberByRef -Online

Regarding the syntaxes of the New-MgGroupMemberByRef cmdlet, the first two use the GroupId parameter to reference the Azure AD group that you want to add members to. In addition to the GroupId, the first syntax has the OdataId parameter that specifies the Microsoft Graph API odata ID for the users directory Object you wish to add to the Azure AD group. 

To specify the odata ID, use the format below:


userupn is the UPN of the Azure AD user you want to add to the group specified with the group ID. The examples section of this guide explains how to use the odataID parameter. 

Unlike the first syntax, the second syntax uses the BodyParameter instead of the OdataID parameter. Use the BodyParameter parameter to create a Microsoft.Graph.PowerShell.Models.IReferenceCreate hashtable. 

Below is a sample hashtable you use as the BodyParameter parameter. 

					$bodyparams = @{
	"@odata.id" = "https://graph.microsoft.com/v1.0/users/userupn"


While the first two syntaxes use the GroupID parameter to reference the Azure AD group, the last two use the InputObject parameter to specify a Microsoft.Graph.PowerShell.Models.IGroupsIdentity object. 

					New-MgGroupMemberByRef -InputObject (IGroupsIdentity) [-OdataId (String)]
New-MgGroupMemberByRef -InputObject (IGroupsIdentity) [-BodyParameter (IReferenceCreate)]

Looking at the 2 syntaxes, you see that they also have the OdataID and BodyParameters in the first two syntaxes.  

					New-MgGroupMemberByRef -GroupId (String) [-OdataId (String)]
New-MgGroupMemberByRef -GroupId (String) [-BodyParameter (IReferenceCreate)]

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Step 4: Add Users to Azure AD Group Using the New-MgGroupMemberByRef PowerShell Command (Examples)

In this article’s 1 step, I discussed how to install Microsoft.Graph.Groups PowerShell Module – to access the New-MgGroupMemberByRef commandlet. Then, the article’s 2 section explains how to authenticate and connect to Azure AD with the Connect-MgGraph command.

I also used the 3 step to explain the syntaxes and parameters of the New-MgGroupMemberByRef cmdlt. 

This section shows some examples of adding users to Azure AD group using the New-MgGroupMemberByRef PowerShell cmdlet. 

My first example explains how to use the New-MgGroup command to create a new Azure AD group. Essential, if you want to create a group before adding users to the new group. 

Example 1: Create a New Azure AD Group with the New-MgGroup command

In this example, I want to create a security group in Azure Active Directory. So, I run the command below from the Microsoft PowerShell console I established an Azure AD session using the Connect-MgGraph Command.

					New-MgGroup -DisplayName 'NewSecurityGroup' -MailEnabled:$False  -MailNickName 'NewSecurityGroup' -SecurityEnabled

If the command runs successfully, it should create the security group and displays some of its properties on the PowerShell console. 

Example 2: Add a User to an Azure AD Group with the GroupID and OdataID Parameters

One of the syntaxes I explained earlier has the GroupID and OdataID parameters. 

					New-MgGroupMemberByRef -GroupId (String) [-OdataId (String)]

1. To use this syntax to add users to the group I created in example 1 above, I get the group’s ID with the command below. 

					$Groupid = (Get-MgGroup | Where-Object {$_.DisplayName -eq "NewSecurityGroup"}).id

It returns the Azure AD group’s ID and saves it in the $Groupid variable. 

2. Next step is to create the string you need for the OdataId parameter. Earlier, I explained that the format of the OdataID is…


The last part of the Odata string is the Azure AD user’s UPN. So, we need to get this information with the Get-MgUser command.

In my example, I want to find the UPN for my user account. To filter the result of the Get-MgUser command, I use the Displayname Property.

					Get-MgUser | Where-Object {$_.DisplayName -eq 'Victor Ashiedu'}

The command shows that my Azure AD environment has 3 users with the same DisplayName. 

To return only 1 user, I include the UserPrincipalName to the Where-Object filter. 

					Get-MgUser | Where-Object {($_.DisplayName -eq 'Victor Ashiedu') -and ($_.UserPrincipalName -like '*@itechguides.com*')}

Modified command now returns a single user. 

Nevertheless, to make it easy to use the UPN in the Odata ID parameter, I save the result of the last command in a variable.

					$UserUPN = (Get-MgUser | Where-Object {($_.DisplayName -eq 'Victor Ashiedu') -and ($_.UserPrincipalName -like '*@itechguides.com*')}).UserPrincipalName

3. Next, I create the Odata ID string. 

					$odadaID = "https://graph.microsoft.com/v1.0/users/$UserUPN"

4. Finally, I add the user with the UPN saved in the $UserUPN variable using the command below. 

					New-MgGroupMemberByRef -GroupId $GroupId -OdataId $odadaID

Some admins may want to confirm that the last command added the user to the group by running the Get-MgGroupMember command. Here is a sample. 

					Get-MgGroupMember -GroupId $GroupId

Unfortunately, the Get-MgGroupMember command returns just the user IDs of the group members. Therefore, if an admin wants to see the full properties of the users, pipe the last command to ForEach-Object and use the Get-MgUser to display information about the group members

					Get-MgGroupMember -GroupId $GroupId | ForEach-Object { $UserID = $_.Id; Get-MgUser -UserId $UserID }

Excitingly, the last command returns more useful information about all the users of the Azure AD group

Example 3:Add Multiple Users to an Azure AD Group with the New-MgGroupMemberByRef Command

Some admins may need to add multiple users to an Azure Active Directory group.

To show this scenario in action, I refer to a command I used to return my user account in the last example. 

					Get-MgUser | Where-Object {$_.DisplayName -eq 'Victor Ashiedu'}

If you recollect, the command returned 3 user accounts. 

Use the script below to add all the users returned by the last command to a group whose group ID is saved in the $Groupid variable. 

					Connect-MgGraph -Scopes "GroupMember.ReadWrite.All", "Group.ReadWrite.All", "Directory.ReadWrite.All"
Get-MgUser | Where-Object {$_.DisplayName -eq 'Victor Ashiedu'} | ForEach-Object {
$UserUPN = $_.UserPrincipalName
$odadaID = "https://graph.microsoft.com/v1.0/users/$UserUPN"
$Groupid = (Get-MgGroup | Where-Object {$_.DisplayName -eq "NewSecurityGroup"}).id
New-MgGroupMemberByRef -GroupId $GroupId -OdataId $odadaID -erroraction SilentlyContinue

The first line of the script authenticates to an Azure tenant by running the Connect-MgGraph command. Then, line two returns the users to add to an Azure AD group with the Get-MgUser command and pipes the users to the ForEach-Object that iterates through the users. 

Within the ForEach-Object loop, line three saves the UPN for each user in the $UserUPN by calling the pipeline variable $_.UserPrincipalName. Subsequently, in line four, I use the $UserUPN variable to create a string for the $odadaID variable. 

Furthermore, the command in line five saves the group ID of the Azure AD group to add the users in the $Groupid variable. Finally, in line six, I use the New-MgGroupMemberByRef command to add each user to the Azure Active Directory group. 

Example 4:Add a User to an Azure AD Group with the GroupID and BodyParameter Parameters

So far, all the examples have used the GroupID and OdataId parameters of the New-MgGroupMemberByRef commandlet. But, if you recollect, one of the syntaxes of this Microsoft Graph cmdlet uses the GroupID and BodyParameter (instead of OdataId) parameters. 

If you need a see the syntax once again, here it is:

					New-MgGroupMemberByRef -GroupId (String) [-BodyParameter (IReferenceCreate)]

The most significant difference between the BodyParameter and OdataId parameters is how you use them. While you specify the Odata ID string directly on the OdataId, when using the BodyParameter parameter, you set a Microsoft.Graph.PowerShell.Models.IReferenceCreate object.

So, to add a user to an Azure AD group using the BodyParameter parameter of the New-MgGroupMemberByRef PowerShell command, create a Microsoft.Graph.PowerShell.Models.IReferenceCreate hashtable first. 

					$UserUPN = (Get-MgUser | Where-Object {($_.DisplayName -eq 'Victor Ashiedu') -and ($_.UserPrincipalName -like '*@itechguides.com*')}).UserPrincipalName
$BodyParams = @{
	"@odata.id" = "https://graph.microsoft.com/v1.0/users/$UserUPN"


The first command returns the UPN of the user you want to add to an Azure AD group while the command in line two creates the IReferenceCreate hashtable you need for the BodyParameter parameter. 

Next step, run the following commands to add the user to the group with the group ID saved in the $Groupid variable. 

					$UserUPN = (Get-MgUser | Where-Object {($_.DisplayName -eq 'Victor Ashiedu') -and ($_.UserPrincipalName -like '*@itechguides.com*')}).UserPrincipalName
$BodyParams = @{
	"@odata.id" = "https://graph.microsoft.com/v1.0/users/$UserUPN"
$Groupid = (Get-MgGroup | Where-Object {$_.DisplayName -eq "NewSecurityGroup"}).id
New-MgGroupMemberByRef -GroupId $GroupId -BodyParameter $BodyParams

New-MgGroupMemberByRef - Add Users to Azure AD Group using PowerShell Conclusion

The Microsoft Graph PowerShell modules provide admins with a robust option to manage Azure Active Directory groups. However, the Microsoft Graph PowerShell module has so many sub-modules, so you need to know the sub-module(s) you need to manage groups. 

In this regard, you require Microsoft.Graph.Groups and Microsoft.Graph.Users modules. But before using these modules, you must install and download them. 

After downloading them, you must connect to your Azure tenant by running the Connect-MgGraph command. However, to run this command, specify the scopes you need to run commands in a Microsft Graph Azure session.

To get the scopes you need, use the Find-MgGraphCommand command. Finally, authenticate to your Azure tenant and use the New-MgGroupMemberByRef command to add Azure AD users to a group. 

We hope that by following the steps and examples in this guide, you added Azure AD users to a group. 


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *