M365Corner
PowerShell

Using Get-MgGroupOwner in Graph PowerShell

This guide demonstrates how to use the Get-MgGroupOwner cmdlet in Microsoft Graph PowerShell to retrieve the owners of Microsoft 365 groups. Learn how to list group owners and export owner details with practical examples.

The Get-MgGroupOwner cmdlet in Microsoft Graph PowerShell allows administrators to retrieve the owners of Microsoft 365 Groups. Group owners are essential members with elevated privileges, such as managing group settings, adding or removing members, and overall administration of the group.

This article will dive deep into how to use Get-MgGroupOwner to extract essential owner details, including their email addresses and user principal names (UPNs), by nesting Get-MgUser within Get-MgGroupOwner. We will cover syntax, usage examples, cmdlet tips, possible errors, solutions, and use cases to help administrators get the most out of this cmdlet.

Cmdlet Syntax

Get-MgGroupOwner -GroupId <String>

Parameters:

  • -GroupId: (required) The unique identifier (ID) of the Microsoft 365 group from which you want to retrieve the owners.

Important Notes: The Get-MgGroupOwner cmdlet only returns user IDs by default. To obtain detailed information about each user (such as display names or UPNs), you must use the Get-MgUser cmdlet to query additional user details.

Usage Examples

Example 1: Retrieve Group Owner IDs

This example demonstrates how to retrieve only the owner IDs of a specified Microsoft 365 Group using the Get-MgGroupOwner cmdlet.


    # Retrieve the owner IDs of a group
    # Retrieve only the owner IDs of a Microsoft 365 Group
    Get-MgGroupOwner -GroupId '7bf57d88-42e1-4c8b-8a44-5a6f04a29073' | Select-Object Id
Screenshot of PowerShell output displaying a list of group owner IDs retrieved using the Get-MgGroupOwner cmdlet.

This command fetches the owner IDs of the group with the specified GroupId. The output will be a list of GUIDs representing each owner.

Example 2: Retrieve Group Owners with Additional Information

To get detailed information about each owner (like their email address and user principal name), we can nest the Get-MgUser cmdlet within Get-MgGroupOwner. This provides more valuable data about the group owners.


    # Retrieve the detailed information of group owners
    $owners = Get-MgGroupOwner -GroupId '7bf57d88-42e1-4c8b-8a44-5a6f04a29073'
    foreach ($owner in $owners) {
        Get-MgUser -UserId $owner.Id | Select-Object DisplayName, Mail, UserPrincipalName
    }
Script illustrating the process of nesting the Get-MgUser cmdlet within Get-MgGroupOwner to obtain detailed owner information, including display names and email addresses.

This example fetches the Id of each owner and then passes that ID to the Get-MgUser cmdlet to retrieve additional information, such as DisplayName, Mail, and UserPrincipalName.

Cmdlet Tips

  • Ensure Permissions: You need the appropriate permissions to retrieve group owner details. The required permissions may include Group.Read.All or Directory.Read.All.
  • Nesting Cmdlets: Use Get-MgUser within Get-MgGroupOwner to extract more detailed user information. This is especially useful for reporting purposes or detailed audits.
  • Handling Large Groups: For groups with a large number of owners, consider using the -All parameter with Get-MgGroupOwner to ensure all owners are retrieved.

Use Cases

  1. Auditing Group Ownership Administrators may need to audit Microsoft 365 Groups to ensure that all groups have assigned owners. Using Get-MgGroupOwner allows them to identify any groups without owners or groups with too many owners, which could indicate potential security risks. 
    
    $groups = Get-MgGroup -All
    foreach ($group in $groups) {
    $owners = Get-MgGroupOwner -GroupId $group.Id
    if ($owners.Count -eq 0) {
        Write-Host "Group $($group.DisplayName) has no owners!"
    }
    }
  2. Generating Group Ownership Reports Companies often require reports that list all groups and their respective owners. By using Get-MgGroupOwner in conjunction with Get-MgUser, administrators can create comprehensive reports that include details like owners' names, email addresses, and user principal names. 
    
    $groups = Get-MgGroup -All
    foreach ($group in $groups) {
        $owners = Get-MgGroupOwner -GroupId $group.Id
        foreach ($owner in $owners) {
            $user = Get-MgUser -UserId $owner.Id
            Write-Output "Group: $($group.DisplayName) - Owner: $($user.DisplayName), $($user.Mail), $($user.UserPrincipalName)"
        }
    }

    This script generates a list of groups along with their owners' details, making it easier to review ownership and ensure compliance with organizational policies.

  3. Identifying Groups Without Owners: It's crucial to ensure that all Microsoft 365 groups have assigned owners to maintain proper management and oversight. Using Get-MgGroupOwner, administrators can identify groups that currently lack an owner: 
    $groups = Get-MgGroup -All
foreach ($group in $groups) {
    $owners = Get-MgGroupOwner -GroupId $group.Id
    if ($owners.Count -eq 0) {
        Write-Host "Group '$($group.DisplayName)' has no owners assigned."
    }
}

    This script lists all groups without assigned owners, allowing administrators to take corrective action.

  4. Verifying Group Ownership for Compliance Audits In many organizations, compliance policies require Microsoft 365 groups to have designated owners. Administrators can use the Get-MgGroupOwner cmdlet to verify if the assigned owners are valid and active users. 
    $groups = Get-MgGroup -All
foreach ($group in $groups) {
    $owners = Get-MgGroupOwner -GroupId $group.Id
    foreach ($owner in $owners) {
        $user = Get-MgUser -UserId $owner.Id
        if ($user.AccountEnabled -eq $false) {
            Write-Host "Group '$($group.DisplayName)' has a disabled owner: $($user.DisplayName)"
        }
    }
}

    This script identifies any groups that have disabled accounts as owners, allowing administrators to reassign ownership and ensure compliance.


Possible Errors & Solutions

Error Cause Solution
Group Not Found The specified GroupId is incorrect, or the group has been deleted. Double-check the GroupId. You can use Get-MgGroup to list groups and confirm the ID before running the Get-MgGroupOwner cmdlet.
Insufficient Permissions The user account running the command lacks sufficient permissions to view group owners. Ensure that your account has the necessary permissions, such as Group.Read.All or Directory.Read.All in Azure AD.
No Owners Found The group may not have any assigned owners, which is unusual but possible. Verify the group structure and assign owners if necessary. You can use the Add-MgGroupOwner cmdlet to assign new owners to the group.

Frequently Asked Questions

1. What is Get-MgGroupOwner used for?

Get-MgGroupOwner is a Microsoft Graph PowerShell cmdlet used to retrieve details about the owners of Microsoft 365 groups, such as their display names and email addresses.

2. Can I retrieve owners for all groups in my tenant?

Yes, loop through all groups and fetch their owners. Example:

$Groups = Get-MgGroup -All
foreach ($Group in $Groups) {
    $Owners = Get-MgGroupOwner -GroupId $Group.Id
    Write-Output "Group: $($Group.DisplayName)"
    Write-Output $Owners
}

3. How can I retrieve detailed information about group owners using Get-MgGroupOwner?

By default, Get-MgGroupOwner returns only the IDs of the group owners. To obtain detailed information such as display names, email addresses, or user principal names, you can use the Get-MgUser cmdlet in conjunction with Get-MgGroupOwner. Here's an example:

$owners = Get-MgGroupOwner -GroupId 'your-group-id'
foreach ($owner in $owners) {
    $user = Get-MgUser -UserId $owner.Id
    Write-Output "Owner: $($user.DisplayName), Email: $($user.Mail), UPN: $($user.UserPrincipalName)"
}

This script retrieves each owner's detailed information by their user ID.

4. Can I export a list of all group owners to a CSV file?

Yes, you can export a list of all group owners to a CSV file by combining Get-MgGroup and Get-MgGroupOwner cmdlets. Here's a sample script:

$groups = Get-MgGroup -All
$report = @()
    foreach ($group in $groups) {
            $owners = Get-MgGroupOwner -GroupId $group.Id
            foreach ($owner in $owners) {
                    $user = Get-MgUser -UserId $owner.Id
                        $report += [PSCustomObject]@{
                            GroupName = $group.DisplayName
                            OwnerName = $user.DisplayName
                            OwnerEmail = $user.Mail
                        }
            }
    }
$report | Export-Csv -Path 'GroupOwnersReport.csv' -NoTypeInformation

This script generates a CSV file containing each group's name along with its owners' names and email addresses.

5. What permissions are required to retrieve group owners?

You need the Group.Read.All or Group.ReadWrite.All permission in Microsoft Graph PowerShell. Ensure appropriate permissions are granted in Azure AD.

Conclusion

The Get-MgGroupOwner cmdlet is a versatile tool for administrators seeking to manage and audit Microsoft 365 groups. By combining this cmdlet with Get-MgUser, administrators can retrieve detailed information about group owners, making it easier to manage group permissions and maintain control over critical resources. Whether you're retrieving owners for a single group or auditing group ownership across an entire organization, this cmdlet simplifies the process.

Suggested Reading

Table of Contents

X

Table of Contents

© m365corner.com. All Rights Reserved. Design by HTML Codex