Add-AzureADGroupMember tricks when UPN is different than Primary Email address

I recently had to add a bunch of users to an AzureAD group where the UserPrincipalName was different than the user account, thus causing all sorts of failures when adding it in the PowerShell CLI as well as the bulk add from the Azure web portal.

Get-AzureADUser has some examples on grabbing a user, but I wanted to point out the “-Filter” parameter is an oData v3.0 filter statement.

What does that mean? This is the example from the doc page:

Get-AzureADUser -Filter "userPrincipalName eq ''"

What I wanted to point out is that you can use any of the ExtensionProperties that the user account contains.

For instance, here’s the script I threw together to add users to a group based on their “mail” property:

 $imp1 = Import-Csv C:\users\luceds\desktop\exp1.csv
 ForEach ($line in $imp1)
     $mem1 = Get-AzureADUser -Filter "mail eq '$($line.UPN)'"
     $mem1 # drop the name on the screen to check for errors
   Add-AzureADGroupMember -ObjectId 0c3ac25f-449b-4057-bd16-826269exxxxx -RefObjectId $mem1.ObjectId

The “queryingcollections” section in the oData document page show the syntax that’s possible for the -Filter parameter

Author: Luke Edson

Luke has extensive experience in a wide variety of systems, focusing on Microsoft technologies, Communication with Exchange and Skype for Business (Lync & LCS), Data Center Virtualization, Orchestration and Automation, System Center Management, Networking, and Security.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: