How to Copy Office 365 Group membership to another user using PowerShell?

Requirement: Copy group membership to another user in Office 365.

How to Copy an O365 group membership from one user to another?

If you’re administering Office 365 and need to copy the group membership from one user to another, there’s no easy way to do it! You may need to do it in a variety of situations, such as when a new employee is being onboarded and has to have the same access as an existing employee or when an employee leaves the company and their duties have to be reassigned to someone else. Let me walk you through the steps required to duplicate the group memberships of one user into another.

  1. Login to Microsoft 365 Admin Center at https://admin.microsoft.com/
  2. Click on Groups >> Active Groups. Search and Pick the source user >> in the user properties panel, note down all groups the user is a member of.how to copy office 365 group memberships
  3. Now, select the target user >> Assign Memberships to the target user from the list of groups you noted from the source user.

How painful is this manual process when you have a bunch of groups? What if we automate this process with a PowerShell script that would read out the membership of a source user and then add the new user to the same group?

PowerShell to Copy Office 365 Group Memberships

If you want to clone a user’s group memberships in the Microsoft 365 environment, use this PowerShell script. Make sure the Azure AD module is installed before executing this script.

#Parameters
$SourceUserAccount = "Vahab@Crescent.com"
$TargetUserAccount = "Steve@Crescent.com"

#Connect to Azure AD
Connect-AzureAD

#Get the Source and Target users
$SourceUser = Get-AzureADUser -Filter "UserPrincipalName eq '$SourceUserAccount'"
$TargetUser = Get-AzureADUser -Filter "UserPrincipalName eq '$TargetUserAccount'"

#Check if source and Target users are valid
If($SourceUser -ne $Null -and $TargetUser -ne $Null)
{
    #Get All memberships of the Source user
    $SourceMemberships = Get-AzureADUserMembership -ObjectId $SourceUser.ObjectId | Where-object { $_.ObjectType -eq "Group" }

    #Get-AzureADUserOwnedObject -ObjectId $SourceUser.ObjectId

    #Loop through Each Group
    ForEach($Membership in $SourceMemberships)
    {
        #Check if the user is not part of the group
        $GroupMembers = (Get-AzureADGroupMember -ObjectId $Membership.Objectid).UserPrincipalName
        If ($GroupMembers -notcontains $TargetUserAccount)
        {
            #Add Target user to the Source User's group
            Add-AzureADGroupMember -ObjectId $Membership.ObjectId -RefObjectId $TargetUser.ObjectId
            Write-host "Added user to Group:" $Membership.DisplayName
        }
    }
}
Else
{
    Write-host "Source or Target user is invalid!" -f Yellow
}

Please note, this script gets all group memberships, including Microsoft 365 groups / Unified groups, Security Groups, Distribution Lists, and Mail-enabled security groups of the given user where he’s added as a group member. To get all groups where the user is an owner, use the following:

$Ownerships  = Get-AzureADUserOwnedObject -ObjectId $SourceUser.ObjectId | Where-object { $_.ObjectType -eq "Group" 

Copy Office 365 Group Ownership using PowerShell

Here is the PowerShell script to copy the user’s group ownership:

#Parameters - UPN
$SourceUserAccount = "Vahab@Crescent.com"
$TargetUserAccount = "Steve@Crescent.com"

#Connect to Azure AD
Connect-AzureAD

#Get the Source and Target users
$SourceUser = Get-AzureADUser -Filter "UserPrincipalName eq '$SourceUserAccount'"
$TargetUser = Get-AzureADUser -Filter "UserPrincipalName eq '$TargetUserAccount'"

#Check if source and Target users are valid
If($SourceUser -ne $Null -and $TargetUser -ne $Null)
{
    #Get All Groups where the Source user is a Owner
    $SourceOwnerships = Get-AzureADUserOwnedObject -ObjectId $SourceUser.ObjectId | Where-object { $_.ObjectType -eq "Group" }

    #Loop through Each Group
    ForEach($Ownership in $SourceOwnerships)
    {
        #Check if the user is not part of the group
        $GroupOwners = (Get-AzureADGroupOwner -ObjectId $Ownership.Objectid).UserPrincipalName
        If ($GroupOwners -notcontains $TargetUserAccount)
        {
            #Add Target user to the Source User's group
            Add-AzureADGroupOwner -ObjectId $Ownership.ObjectId -RefObjectId $TargetUser.ObjectId
            Write-host "Added user to Group:" $Ownership.DisplayName
        }
    }
}
Else
{
    Write-host "Source or Target user is invalid!" -f Yellow
}

Copying group membership using PowerShell can save a significant amount of time and effort, as it allows you to quickly grant a user access to all the same resources and permissions as another user. By following the steps outlined in this tutorial, you can quickly grant a user access to all the same resources and permissions as another user. As always, it is a good idea to double-check the membership of the destination user to ensure that the correct permissions have been assigned.

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

7 thoughts on “How to Copy Office 365 Group membership to another user using PowerShell?

  • Are you supposed to run the script in one go ?

    When I ran the script, Powershell was unresponsive.

    Reply
  • Is there a way to also add shared mailboxes to this?

    Reply
    • No, because this script only works for Azure and not for Exchange Online. Sadly, there is no way to implement that right now…

      Reply
  • Any updates on the: mail-enabled security groups issue?

    Reply
  • Really handy script! Thanks!
    Is there a way to copy Eligible assignments as well?

    Regards,
    Peter

    Reply
  • Hi,
    I received the same error message. Office 365 groups were successfully copied but mail enabled and distro group membership was not. Please help.

    Reply
  • Hi was able to add some groups but for all mail enable groups i get below error message

    Added user to Group: Sales-All
    Add-AzureADGroupMember : Error occurred while executing AddGroupMember
    Code: Request_BadRequest
    Message: Cannot Update a mail-enabled security groups and or distribution list.
    RequestId: ed3671e6-eef5-4d8d-b330-89759571f24b
    DateTimeStamp: Thu, 03 Feb 2022 16:42:43 GMT
    HttpStatusCode: BadRequest
    HttpStatusDescription: Bad Request
    HttpResponseStatus: Completed
    At line:28 char:13
    + Add-AzureADGroupMember -ObjectId $Membership.ObjectId -Re …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Add-AzureADGroupMember], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.AddGroupMember

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *