Add-AzureADGroupMember tricks when UPN is different than Primary Email address

I recently had to add a bunch of users to an AzureAD group where the UserPrincipalName was different than the user account, thus causing all sorts of failures when adding it in the PowerShell CLI as well as the bulk add from the Azure web portal.

Get-AzureADUser has some examples on grabbing a user, but I wanted to point out the “-Filter” parameter is an oData v3.0 filter statement. https://www.odata.org/documentation/odata-version-3-0/odata-version-3-0-core-protocol/

What does that mean? This is the example from the doc page:

Get-AzureADUser -Filter "userPrincipalName eq 'jondoe@contoso.com'"

What I wanted to point out is that you can use any of the ExtensionProperties that the user account contains.

For instance, here’s the script I threw together to add users to a group based on their “mail” property:

 $imp1 = Import-Csv C:\users\luceds\desktop\exp1.csv
 ForEach ($line in $imp1)
   {
     $mem1 = Get-AzureADUser -Filter "mail eq '$($line.UPN)'"
     $mem1 # drop the name on the screen to check for errors
   Add-AzureADGroupMember -ObjectId 0c3ac25f-449b-4057-bd16-826269exxxxx -RefObjectId $mem1.ObjectId
 } 

The “queryingcollections” section in the oData document page show the syntax that’s possible for the -Filter parameter

https://www.odata.org/documentation/odata-version-3-0/odata-version-3-0-core-protocol/#queryingcollections