Add AD Group to SharePoint Online Group using PowerShell

Requirement: Add Active Directory security group to SharePoint Online Group using PowerShell.

PowerShell to Add Active Directory Group to SharePoint Online Group

How to Add AD Group to SharePoint Online Groups?

Adding an Active Directory (AD) group to SharePoint Online is a great way to manage user permissions. By adding AD groups, you can give users access to SharePoint sites, libraries, lists, and items without having to individually add each user to the site. In this blog post, we’ll walk you through the steps to add an AD group to SharePoint Online.

  1. Sign in to your SharePoint Online site as a site owner or administrator.
  2. Click on Settings Gear >> Site Permissions >> Share Site.
  3. Enter the name of the Active Directory group that you want to add. Set the Permissions for the group.
  4. Finally, click on the “Add” button to save your changes.
    how to add active directory group in sharepoint online

The group will now be added to your site, and you can begin managing permissions for the group as needed. You can also go to Advanced permission settings and add the AD group to the relevant SharePoint Online site group.

sharepoint online powershell add security group

On Group connected sites, You can click on “Add Members” and then choose the “Share site only” option to grant access to the Active Directory Group to the Sharepoint Online site. The “Add Members to Group” won’t work, as the Office 365 group cannot contain AD security groups.

PowerShell to Add Active Directory Group to SharePoint Online Group

Let’s look at how to add an Active Directory security group to SharePoint Online using PowerShell. In just a few quick steps, you can add the security group and grant them the permissions they need. By adding the AD security group to your SharePoint Online site, you can give members of that group permission to access the site and its contents. Here is the PowerShell add AD group to SharePoint group in SharePoint Online:

#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

Function Add-ADGroupToSP($SiteURL,$ADGroupName,$SPGroupName)
{
    #Setup Credentials to connect
    $Cred = Get-Credential
    $Cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)
 
    Try {
        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = $Cred
     
        #Get the Web and SharePoint Group
        $Web = $Ctx.Web
        $Group= $Web.SiteGroups.GetByName($SPGroupName)
 
        #Resolve the AD Security Group
        $ADGroup = $web.EnsureUser($ADGroupName)
 
        #sharepoint online powershell add AD group to sharepoint group
        $Result = $Group.Users.AddUser($ADGroup)
        $Ctx.Load($Result)
        $Ctx.ExecuteQuery()
 
        write-host  -f Green "Active Directory Group '$ADGroupName' has been added to '$SPGroupName'"
    }
    Catch {
        write-host -f Red "Error:" $_.Exception.Message
    }
}

#Variables for Processing
$SiteURL = "https://Crescent.sharepoint.com/Sales"
$ADGroupName = "Marketing Managers"
$SPGroupName="Sales Portal Members"

#Call the function to add AD group to SharePoint Group
Add-ADGroupToSP -SiteURL $SiteURL -ADGroupName $ADGroupName -SPGroupName $SPGroupName

This adds a given Active directory security group into the SharePoint Online group as a SharePoint user. You can also use AD Group’s Login ID (E.g. c:0t.c|tenant|915xnusf-fbb3-7da1-k252-33e0de69f19″) to Add AD Group to SharePoint Online Group.

SharePoint Online: PnP PowerShell to Add Security Group to Site

Adding a security group to SharePoint Online can be done using PnP PowerShell as well. Here is the PnP PowerShell to add the Active Directory security group to the SharePoint Online group:

#Parameters
$SiteURL= "https://crescent.sharepoint.com/sites/hr"
$AdGroupID = "c:0t.c|tenant|798cb3d4-7ca8-4567-adb5-916bc496d7cd"
$GroupName = "HR Owners"

#Connect to site
Connect-PnPOnline $SiteURL -Interactive

#SharePoint Online powershell add security group
Add-PnPGroupMember -LoginName $AdGroupID -Identity $GroupName

The members of the AD group will now have access to the resources and permissions granted to the SharePoint group. To get all security groups and their IDs, use the following:

#Connect to Azure AD
Connect-AzureAD

#Get All Security Groups
Get-AzureADGroup -Filter "SecurityEnabled eq true" | Select DisplayName,ObjectID

Getting the ID of Active Directory Groups is explained in my other post: How to Add AD Security Group as Site Collection Administrator in SharePoint Online?

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

15 thoughts on “Add AD Group to SharePoint Online Group using PowerShell

  • Hi, Great site!!
    I’m trying to add my M365 group to a Sharepoint group, but I continually get this error
    Add-PnPGroupMember -LoginName $AdGroupID -Identity $GroupName
    Add-PnPGroupMember: The specified user 54e13812-8b94-411a-8198-9c48add57c7d could not be found.

    I got that ID from running $adGroup = Get-MgGroup -Filter “displayName eq ‘$AdGroupName’ and SecurityEnabled eq true”
    $AdGroupID = $adGroup.Id

    So clearly it exists. Any idea what I’m doing wrong?

    Thanks

    Reply
  • Thank for wonderful scripts. Would you be able to help in use case, we have AD Groups lets say by name “AB Sec Admins” and it is added in multiple SharePoint Groups in different sites. Now, it name has been renamed in AD, it is now “CD Sec Admins”.
    Can we update/resync AD Groups existing in SP Groups? I am aware that I need to manually find by old name, remove from SP Group and add new one.

    Reply
  • Hi, thanks for the info
    If I have multiple subsites under a project site, can you advise how can I loop first PowerShell code to add AD group to all subsites in SP group?
    thanks

    Reply
  • this script only adds the user to a group, I need to add a group to sharepoint site collection sites. how can I add a group to these subsites.

    Reply
  • @Salaudeen Rajack In PnP PowerShell last code line replace “Add-PnPGroupMember” with “Add-PnPUserToGroup”

    Reply
    • In the new Pnp.PowerShell module, Add-PnPUserToGroup cmdlet is replaced with Add-PnPGroupMember.

      Reply
  • The code worked like a charm!! excellent. keep posting such scenarios. thanks 🙂

    Reply
  • Excellent, thanks for sharing!

    Reply
  • Hey Salaudeen,

    Just wanted to say I’ve used your blog posts quite a lot for my current project. Great work!

    Reply
  • Need help with this code, I don’t know how to start this in my sharepoint 2016 on-premise – site colletion

    Reply
  • Could you explain please? I don’t know how this code work in SharePoint on-premise ??

    When I start your code is for SharePoint ONLINE and I get error
    New-Object : Cannot find type [Microsoft.SharePoint.Client.SharePointOnlineCredentials]: verify that the assembly containing this type is loaded.

    Reply
  • What is the same code for PNP Powershell?

    Reply
    • $context = Connect-PnPonline -Url [mysite] -ReturnConnection
      $web = Get-PnPWeb -Connection $context
      $adgroup = “c:0t.c|tenant|[ad id]”
      $ensureUser = $web.EnsureUser($adgroup)
      $adgroup= Get-PnPUser $adgroup -Connection $context
      Add-PnPUserToGroup -LoginName $adgroup.LoginName -Identity “$($web.Title) Owners” -Connection $context

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *