Listen to this Post
Working on a new solution, and I’m reminded how painful adding/removing group members is in Graph API…
We have New-MgGroupMember but not Remove-MgGroupMember, and it seems like New-MgGroupMember is deprecated / should have been removed by now…
But it gets worse 🙁
Instead of referencing directoryObjectId like we used to, we now have to use OData members with *-MgGroupMemberByRef
A cool thing is that we can now do 20 in one call, add in batching, and we get great performance
But that uses Update-MgGroup, only supports add, not remove 😠
And I believe this is all limitations of however they decided Graph API should be implemented. I’m sure there’s a good reason, I don’t make APIs..
But whatever the reason, the end result is not a good admin experience, and this is the best I could come up with to handle it
Practice Verified Codes and Commands:
<h1>Adding a new member to a group using New-MgGroupMember</h1>
New-MgGroupMember -GroupId "your-group-id" -DirectoryObjectId "user-or-group-id"
<h1>Example of batching multiple adds</h1>
$batch = @()
1..20 | ForEach-Object {
$batch += @{
id = $_
method = "POST"
url = "/groups/your-group-id/members/<code>$ref"
body = @{
"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/user-or-group-id-$_"
}
}
}
Invoke-MgGraphRequest -Method POST -Uri "/</code>$batch" -Body $batch
<h1>Removing a member using Update-MgGroup (workaround)</h1>
<h1>Note: This is a workaround and may not be officially supported</h1>
$groupId = "your-group-id"
$userId = "user-id-to-remove"
$uri = "https://graph.microsoft.com/v1.0/groups/$groupId/members/$userId/`$ref"
Invoke-MgGraphRequest -Method DELETE -Uri $uri
What Undercode Say:
Managing group members in Microsoft Graph API can be a challenging task, especially when dealing with the absence of straightforward commands like Remove-MgGroupMember. The transition to using OData members and the limitations of Update-MgGroup for removing members add complexity to the process. However, leveraging batching and understanding the underlying API structure can help mitigate some of these issues. Here are some additional commands and tips to enhance your experience:
- Linux Command for API Testing:
curl -X DELETE -H "Authorization: Bearer your-access-token" https://graph.microsoft.com/v1.0/groups/your-group-id/members/user-id-to-remove/$ref
Windows Command for API Testing:
Invoke-WebRequest -Method DELETE -Uri "https://graph.microsoft.com/v1.0/groups/your-group-id/members/user-id-to-remove/`$ref" -Headers @{Authorization = "Bearer your-access-token"}Automating Group Management:
Consider using scripts to automate the addition and removal of group members. This can save time and reduce errors in large environments.API Documentation:
Always refer to the official Microsoft Graph API documentation for the latest updates and best practices: Microsoft Graph API DocumentationPowerShell Module:
Ensure you have the latest Microsoft Graph PowerShell module installed:Install-Module -Name Microsoft.Graph -Force -AllowClobber
Error Handling:
Implement robust error handling in your scripts to manage API rate limits and unexpected responses.Logging:
Use logging to track changes and troubleshoot issues. This can be done using PowerShell’s Start-Transcript cmdlet or by writing logs to a file.Security:
Always secure your API tokens and credentials. Use Azure Key Vault or similar services to manage secrets securely.Testing:
Test your scripts in a development environment before deploying them to production to avoid disruptions.Community Resources:
Engage with the community on forums like Stack Overflow or GitHub to share solutions and get help with specific issues.Continuous Learning:
Stay updated with the latest developments in Microsoft Graph API by following official blogs and participating in webinars.
By understanding the limitations and leveraging the available tools and commands, you can streamline group member management in Microsoft Graph API and improve your overall admin experience.
References:
Hackers Feeds, Undercode AI
