Using Get-MgGroupOwner in Graph PowerShell

The Get-MgGroupOwner cmdlet in Microsoft Graph PowerShell allows administrators to retrieve the owners of Microsoft 365 Groups. Group owners are essential members with elevated privileges, such as managing group settings, adding or removing members, and overall administration of the group.

This article will dive deep into how to use Get-MgGroupOwner to extract essential owner details, including their email addresses and user principal names (UPNs), by nesting Get-MgUser within Get-MgGroupOwner. We will cover syntax, usage examples, cmdlet tips, possible errors, solutions, and use cases to help administrators get the most out of this cmdlet.

Cmdlet Syntax

Get-MgGroupOwner -GroupId <String>

Parameters:

  • -GroupId: (required) The unique identifier (ID) of the Microsoft 365 group from which you want to retrieve the owners.

Important Notes: The Get-MgGroupOwner cmdlet only returns user IDs by default. To obtain detailed information about each user (such as display names or UPNs), you must use the Get-MgUser cmdlet to query additional user details.

Usage Examples

Example 1: Retrieve Group Owner IDs

This example demonstrates how to retrieve only the owner IDs of a specified Microsoft 365 Group using the Get-MgGroupOwner cmdlet.


    # Retrieve the owner IDs of a group
    # Retrieve only the owner IDs of a Microsoft 365 Group
    Get-MgGroupOwner -GroupId '7bf57d88-42e1-4c8b-8a44-5a6f04a29073' | Select-Object Id

This command fetches the owner IDs of the group with the specified GroupId. The output will be a list of GUIDs representing each owner.

Example 2: Retrieve Group Owners with Additional Information

To get detailed information about each owner (like their email address and user principal name), we can nest the Get-MgUser cmdlet within Get-MgGroupOwner. This provides more valuable data about the group owners.


    # Retrieve the detailed information of group owners
    $owners = Get-MgGroupOwner -GroupId '7bf57d88-42e1-4c8b-8a44-5a6f04a29073'
    foreach ($owner in $owners) {
        Get-MgUser -UserId $owner.Id | Select-Object DisplayName, Mail, UserPrincipalName
    }

This example fetches the Id of each owner and then passes that ID to the Get-MgUser cmdlet to retrieve additional information, such as DisplayName, Mail, and UserPrincipalName.

Cmdlet Tips

  • Ensure Permissions: You need the appropriate permissions to retrieve group owner details. The required permissions may include Group.Read.All or Directory.Read.All.
  • Nesting Cmdlets: Use Get-MgUser within Get-MgGroupOwner to extract more detailed user information. This is especially useful for reporting purposes or detailed audits.
  • Handling Large Groups: For groups with a large number of owners, consider using the -All parameter with Get-MgGroupOwner to ensure all owners are retrieved.

Use Cases

  1. Auditing Group Ownership Administrators may need to audit Microsoft 365 Groups to ensure that all groups have assigned owners. Using Get-MgGroupOwner allows them to identify any groups without owners or groups with too many owners, which could indicate potential security risks.
    
        $groups = Get-MgGroup -All
        foreach ($group in $groups) {
        $owners = Get-MgGroupOwner -GroupId $group.Id
        if ($owners.Count -eq 0) {
            Write-Host "Group $($group.DisplayName) has no owners!"
        }
        }
    
  2. Generating Group Ownership Reports Companies often require reports that list all groups and their respective owners. By using Get-MgGroupOwner in conjunction with Get-MgUser, administrators can create comprehensive reports that include details like owners' names, email addresses, and user principal names.
    
        $groups = Get-MgGroup -All
        foreach ($group in $groups) {
            $owners = Get-MgGroupOwner -GroupId $group.Id
            foreach ($owner in $owners) {
                $user = Get-MgUser -UserId $owner.Id
                Write-Output "Group: $($group.DisplayName) - Owner: $($user.DisplayName), $($user.Mail), $($user.UserPrincipalName)"
            }
        }
    

    This script generates a list of groups along with their owners' details, making it easier to review ownership and ensure compliance with organizational policies.


Possible Errors & Solutions

Error Cause Solution
Group Not Found The specified GroupId is incorrect, or the group has been deleted. Double-check the GroupId. You can use Get-MgGroup to list groups and confirm the ID before running the Get-MgGroupOwner cmdlet.
Insufficient Permissions The user account running the command lacks sufficient permissions to view group owners. Ensure that your account has the necessary permissions, such as Group.Read.All or Directory.Read.All in Azure AD.
No Owners Found The group may not have any assigned owners, which is unusual but possible. Verify the group structure and assign owners if necessary. You can use the Add-MgGroupOwner cmdlet to assign new owners to the group.

Conclusion

The Get-MgGroupOwner cmdlet is a versatile tool for administrators seeking to manage and audit Microsoft 365 groups. By combining this cmdlet with Get-MgUser, administrators can retrieve detailed information about group owners, making it easier to manage group permissions and maintain control over critical resources. Whether you're retrieving owners for a single group or auditing group ownership across an entire organization, this cmdlet simplifies the process.

Suggested Reading

© m365corner.com. All Rights Reserved. Design by HTML Codex