Recently I've been building an SPFx app that allows a user to see what groups they manage and allow them to bulk update the membership via CSV. One of the first hurdles was to get all the groups the user is an owner/manager of. This needed to work with all group types:
- Office 365
- Distribution *
- Mail-enabled security *
- Security
For the focus of this post we are only going to look at groups that are homed/managed in the cloud.
* These groups can currently be managed via Outlook Online so this requirement is a nice to have but not a must have.
What method to choose?
There are multiple methods of getting this information. However some require background scripts so arn't really suited for realtime frontend apps. The ideal solution would be to use the Microsoft Graph API so lets take a look on how to accomplish this.
Microsoft Graph - Get all groups a user is an owner of
For this example we are going to use the Graph Explorer available here.
There is an API method named List ownedObjects, this lists all directory objects that are owned by a user. This should return all groups as well as devices, apps, etc... You could possibly use an OData query to filter out objects that you don't need.
Note - any Exchange related properties like ManagedBy are not currently filterable, so Distribution Groups and Mail enabled security groups are not returned. The current workaround is manage these groups via Outlook Online. Harvard have some great instructions on how to do that.
- Open the Graph Explorer page and sign in to your tenancy.
- You may need to consent to some permissions if you have never used it before.
- In the query address box, enter the following (replacing userprincipalname with the user you are testing with):
https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/ownedObjects
- Press Run Query to execute the API method. Take a look at the response preview.
- If only the ID field is populated then you may need to update the permissions to grant Group.Read.All. You can do this by pressing modify permissions under Authentication and selecting Group.Read.All and then pressing Modify Permissions. You may need to re-sign in to grant the permission.
- By default only the first 50 directory objects are returned. If a user has more than that you can either page the results using the @odata.nextlink property or add the $top={numberOfResults} OData query to return the first 'x' results. The max limit is 1000. If they have more than that you will need to user the nextlink method.
Exchange - Get all groups a user is a manager of
You can use the Exchange PowerShell cmdlets to get all objects a user is an owner of. From the Exchange side this is commonly referred to as ManagedBy. We are going to make use of the Get-Recipient cmdlet.
- Open up a PowerShell console
- Connect and authenticate to Exchange Online. See Methods available here.
- Type the following and replace user and tenant information accordingly:
Get-Recipient -Filter "ManagedBy -eq 'CN={user},OU={tenant}.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" -RecipientTypeDetails GroupMailbox, MailUniversalDistributionGroup, MailUniversalSecurityGroup, DynamicDistributionGroup
Note - This will only retrieve the specfied recipient types. Of course plain old Security Groups arn't exposed in Exchange as they have no email address.
Azure AD - Get all groups a user is an owner of
Lastly you can use the Azure AD PowerShell 2.0 cmdlets to retrieve owner information. The cmdlet Get-AzureADUserOwnedObject is what we are going to use.
- You will need to install the PowerShell module and connect to Azure AD. Instructions are available here.
- In the PowerShell console, type the following (replacing ObjectId with the id of the user):
Get-AzureADUserOwnedObject -ObjectId {objectId}
- If you don't have the ObjectId of the user handy you can pipe the result of the Get-AzureADUser into the cmdlet:
Get-AzureADUser -SearchString {userPrincipalName | emailAddress} | Get-AzureADUserOwnedObject
- This cmdlet doesn't look at any Exchange related properties like ManagedBy. So if you need to include distribution groups then you should use the Exchange method.
Summing it all up
Not one method returns all the owner information for all group types. We could wait for Microsoft to update the Graph but that could take a while (if ever). In the meantime pick the one that works for you. It may be that you need to use a couple of them to get all the information you require.
Looking further into the future i'm thinking of building a small intermediary service that combines and caches this information. That data is then exposed by an API that apps can query. It may be possible to combine results from both the Graph and EWS api to get all possible management information.