Enterprise Mobility and Security Blog


Howdy folks,

This week we published a really cool update to Azure AD PowerShell v2.0 preview cmdlets. This update gives you some pretty killer new Azure AD functionality. The new thing I’m the most jazzed about is managing dynamic group settings using PowerShell. This was a top request from all you PowerShell folks out there. Previously, you needed to set rules for the creation and population of these groups using the management UX. Not anymore!

And the new AzureADMSGroup cmdlets provide the functionality of Microsoft Graph to create and manage groups, which includes creating Office 365 groups and dynamic groups through PowerShell.

With these cmdlets you can create new dynamic groups, set or update the dynamic group rule, and start and pause dynamic group processing. You can also use other Azure AD cmdlets to orchestrate all this in bulk.

Imagine running a script that automatically creates dynamic groups for all your departments, all your device types, or maybe for all your managers in your directory. Now you can understand why I’m so excited about this!

Managing dynamic groups through Azure AD PowerShell

Create and manage a dynamic group by using the New-AzureADMSGroup cmdlet. In this example, we’re creating a dynamic security group called “All marketing users”:

New-AzureADMSGroup -Description “Marketing team” -DisplayName “Dynamic groups with all Marketing users” -MailEnabled $false -SecurityEnabled $true -MailNickname “Foo” -GroupTypes “DynamicMembership” -MembershipRule “(user.department -eq “”Marketing””)” -MembershipRuleProcessingState “Paused”

When you execute this cmdlet, the following output is returned:

Id : db78a43d-ba08-4eab-8766-07280a4ba580

Description : Marketing team

OnPremisesSyncEnabled :

DisplayName : Dynamic groups with all Marketing users

OnPremisesLastSyncDateTime :

Mail :

MailEnabled : False

MailNickname : Foo

OnPremisesSecurityIdentifier :

ProxyAddresses : {}

SecurityEnabled : True

GroupTypes : {DynamicMembership}

MembershipRule : (user.department -eq “Marketing”)

MembershipRuleProcessingState : Paused

Creating an Office 365 group with AzureAD PowerShell

You can also create an Office 365 group using the New-AzureADMSGroup cmdlet. In the example below, we’re creating a new Office 365 group for all the stamp collectors in our organization:

PS C:\Users\rodejo> New-AzureADMSGroup -Description “Stamp Collectors” -DisplayName “Office 365 group for all Stamp Collectors in our org” -MailEnabled $true -SecurityEnabled $true -MailNickname “StampCollectors” -GroupTypes “Unified”

And this is the output the cmdlet call returns:

Id : 92e93152-a1a6-4aac-a18a-bfe157e3b319

Description : Stamp Collectors

OnPremisesSyncEnabled :

DisplayName : Office 365 group for all Stamp Collectors in our org

OnPremisesLastSyncDateTime :

Mail : StampCollectors3545@drumkit.onmicrosoft.com

MailEnabled : True

MailNickname : StampCollectors

OnPremisesSecurityIdentifier :

ProxyAddresses : {SMTP:StampCollectors3545@drumkit.onmicrosoft.com}

SecurityEnabled : True

GroupTypes : {Unified}

MembershipRule :

MembershipRuleProcessingState :

Some things to note:

  • The value that you provide for the “MailNickName” parameter is used to create both the SMTP address and the email address of the group. If the MailNickName is not unique, a four-digit string is added to the SMTP and email addresses to make them unique, like in the example above.
  • The values for SecurityEnabled and MailEnabled are set and ignored when creating an Office 365 group because these groups are implicitly security and mail enabled when used in Office 365 features.
  • If you want to create a dynamic Office 365 group, you need to specify both “DynamicMembership” and “Unified” in the GroupTypes parameter, as in:

Set-AzureADMSGroup -Id c6edea99-12e7-40f9-9508-862193fcb710 -GroupTypes “DynamicMembership”,”Unified” -MembershipRule “(User.department -eq “”Marketing””)” -MembershipRuleProcessingState “Paused”

Managing the processing state of a group

Sometimes you may want to stop the processing of a dynamic group, like when you’re importing a large number of new users or reorganizing your group architecture. To do that, use the MembershipRuleProcessingState parameter to switch processing on and off.

To switch it off, use:

Set-AzureADMSGroup -Id 92e93152-a1a6-4aac-a18a-bfe157e3b319 -MembershipRuleProcessingState “Paused”

And to switch it back on, use:

Set-AzureADMSGroup -Id 92e93152-a1a6-4aac-a18a-bfe157e3b319 -MembershipRuleProcessingState “On”

Other release updates

This release also includes a few other changes and new cmdlets.

Cmdlets to revoke a user’s Refresh Tokens: We got requests from several customers to provide capabilities to revoke a user’s refresh tokens. To address that need, we added these two new cmdlets:


This cmdlet is used by the admin to invalidates all of their own refresh tokens issued to applications by resetting the refreshTokensValidFromDateTime user property to the current date-time. It also resets session cookies in a user’s browser. Use this command if you are concerned you account has been attacked or if you are trying to get back to a “clean” state when you are trying to verify a sign-in flow.


This cmdlet Invalidates all the refresh tokens (as well as session cookies in a user’s browser) of the user specified by the admin in the invoking the command. This is accomplished by resetting the refreshTokensValidFromDateTime user property to the current date-time.

Connect-AzureAD no longer requires -Force: We learned from your feedback that you’d rather not get the Connect-AzureAD cmdlet prompt for confirmation, so we removed the requirement to specify the -Force parameter to suppress confirmation prompting.

Naming convention change for cmdlets that call Microsoft Graph: In a previous blog post we mentioned how we’re aligning AzureAD PowerShell V2 functionality with Graph API functionality. Since the AzureAD PowerShell cmdlets expose both the Azure AD Graph API and the Microsoft Graph, we decided to make a small change to the naming convention of our cmdlets. Moving forward, all cmdlets that call the Microsoft Graph will have “MS” in their cmdlet names, as in “Get-AzureADMSGroup”. The cmdlets that call the Azure AD Graph will not change, so there is also a “Get-AzureADGroup” cmdlet. We’ll be implementing these name changes in an upcoming release and will share all the details then.

Getting started

To get started using the New-AzureADMSGroup cmdlet, take a look at a short video we made detailing how to manage dynamic groups using PowerShell.

Dynamic Membership for Groups requires an Azure AD premium license, so if you don’t have one already, make sure to sign up for a free trial license.

I hope you’ll find these new capabilities useful! And as always, we would love to receive any feedback or suggestions you have.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division