M365Corner

🔧 New: User Management Graph PowerShell Toolkit

Simplify user tasks like bulk creation, updates, password resets, deletions, license checks & more — all from one place.

🚀 Launch Toolkit
M365 PowerShell

Bulk Create Mail-Disabled Security Groups Using Graph PowerShell

Creating multiple security groups manually from the Microsoft 365 admin center can be time-consuming and error-prone—especially in large organizations. With Graph PowerShell automation, administrators can quickly and reliably provision mail-disabled security groups in bulk, saving time and ensuring consistency. This script-driven approach is especially useful during large deployments, tenant migrations, or onboarding scenarios.


The Script

đź“Ś Note: The following script is used to bulk-create security groups in Microsoft 365. It uses a CSV file containing group details and loops through each entry to create security groups using Graph PowerShell.

⚠️ Important: To create security groups (not Microsoft 365 groups), ensure that the following fields are specified correctly:

  • securityEnabled = $true
  • groupTypes = @()

If these are omitted or misconfigured, the script will default to creating Microsoft 365 Unified groups instead of security groups.

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Group.ReadWrite.All"
                                
# Import the CSV
$groups = Import-Csv -Path "MailDisabledSecurityGroups.csv"
                                
# Create each group
foreach ($group in $groups) {
    $BodyParams = @{
        displayName     = $group.displayName
        mailEnabled     = $false
        mailNickname    = $group.mailNickname
        securityEnabled = $true
        groupTypes      = @()
    }
                                
    try {
        New-MgGroup -BodyParameter $BodyParams
        Write-Host "âś… Created: $($group.displayName)" -ForegroundColor Green
    } catch {
        Write-Host "❌ Failed: $($group.displayName)" -ForegroundColor Red
        Write-Host $_.Exception.Message
    }
}

CSV File Details

displayName,mailNickname
Security Group 201,secgroup201
Security Group 202,secgroup202
Security Group 203,secgroup203
Security Group 204,secgroup204
Security Group 205,secgroup205

How the Script Works

  1. Connect to Microsoft Graph:

    2. Uses Connect-MgGraph with Group.ReadWrite.All delegated permissions to authenticate.

  2. Import CSV:

    3. Reads the group data from a local CSV file named MailDisabledSecurityGroups.csv.

  3. Loop Through CSV Entries:

    4. Each row is processed inside a foreach loop where:

    • The required parameters like displayName and mailNickname are passed.
    • Most importantly, the script sets:
      • securityEnabled = $true (essential to make it a security group)
      • groupTypes = @() (empty array is necessary — otherwise a Unified group is created)
  4. Group Creation Attempt:

    5. Each group is created using New-MgGroup. If successful, a success message appears; if it fails, the error is shown.


Further Enhancements

  • Add Logging: Capture group creation logs to a file using Out-File.
  • Pre-validation: Check if a group with the same name or mail nickname already exists.
  • Send Notification: Alert admins via email on success/failure.
  • Add Retry Logic: Automatically retry failed attempts with exponential backoff.
  • Parameterize CSV Path: Allow passing the CSV path as a parameter for reusability.

Note: You cannot create bulk create mail enabled security groups or distribution lists using Graph PowerShell. If you try, you’ll get the following error: New-MgGroup : Cannot Create a mail-enabled security groups and or distribution list. You need to use Exchange PowerShell for this.


Possible Errors & Solutions

Error Cause Solution
Access Denied Missing permissions Ensure Group.ReadWrite.All is granted and consented
MailNickname already in use Duplicate mail nickname Use unique mailNickname values in CSV
Invalid group type Incorrect or missing groupTypes Always set groupTypes = @() for security groups
Connect-MgGraph fails Auth issue Ensure your account has delegated admin rights

Conclusion

This script enables administrators to automate the bulk creation of mail-disabled security groups using Graph PowerShell with accuracy and efficiency. By enforcing proper flags like securityEnabled = $true and groupTypes = @(), it ensures correct group type provisioning and avoids misconfiguration.

Incorporating such automation not only reduces manual workload but also promotes consistent governance across the organization’s Microsoft 365 environment.


Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex