Office 365: Unable to modify group membership in the Office 365 portal…
In Office 365 cloud only groups can have their membership managed through the Office 365 portal or through the Azure Active Directory powershell commands. As with on premises Active Directory multiple group types can be created and managed. You can also create direct user membership in groups as well as nested group membership. I recently had an interesting experience with a customer attempting to manage nested group membership.
There is a top level group in our example called TopLevelGroup. The group contained two members – an individual user account and another nested group.
PS C:\> Get-MsolGroupMember -GroupObjectId a988084b-8642-4406-b25d-8687b8c509e7
GroupMemberType EmailAddress DisplayName
--------------- ------------ -----------
User tmcmichael@domain.com Timothy McMichael
Group SubGroup0
The group membership is consistent in both powershell and the portal.
There is a sub group in our example called SubGroup0. The groups contains a single member – an individual user account.
PS C:\> Get-MsolGroupMember -GroupObjectId 8966d905-c966-4d2e-89ea-a151f1534252
GroupMemberType EmailAddress DisplayName
--------------- ------------ -----------
User tmcmichael@domain.com Timothy McMichael
The group membership is consistent in both powershell and the portal.
Through the course of administration the individual user account was accidentally removed from the top level group.
PS C:\> Get-MsolGroupMember -GroupObjectId a988084b-8642-4406-b25d-8687b8c509e7
GroupMemberType EmailAddress DisplayName
--------------- ------------ -----------
Group SubGroup0
When the accidental deletion was discovered the administrator attempted to add the user back to the top level group. To perform this operation the administrator selected the group within the portal – selected the edit members option – and the add members operation button. This presented the administrator with the list of users to add to the group. Using the search operation the user was located. When the user was found it was noted that the user already had a checkbox next to them and the save button was greyed out. The user could not be added through the portal interface.
You can also attempt to modify the groups that an individual is a member of through the individual user properties. The user is located under active users and is selected for properties. Under Group Membership select the edit option then the add memberships button. This brings up the group search option. When searching for the group the same behavior is noted. The group already has the checkbox selected as if the user is a member.
Why is this occurring? The portal is actually displaying the group membership based on expanding all subgroup members. In this case the individual user account continues to be a member of the subgroup. Since it is a member of the subgroup the portal expands it as a member of the top level group. If this is the case – how do I get the user to be a direct member of the top level group if that is the desire? In order to perform this operation powershell must be utilized. Here is an example…
Get the object ID of the individual user.
PS C:\> get-msoluser -UserPrincipalName tmcmichael@domain.com | select-object objectID
ObjectId
--------
61425db0-7812-49dd-b6aa-1a732bdec569
Get the object ID of the top level group.
PS C:\> Get-MsolGroup -SearchString TopLevelGroup | select-object objectID
ObjectId
--------
a988084b-8642-4406-b25d-8687b8c509e7
Add the user to the top level group.
PS C:\> Add-MsolGroupMember -GroupObjectId a988084b-8642-4406-b25d-8687b8c509e7 -GroupMemberType User -GroupMemberObjectId 61425db0-7812-49dd-b6aa-1a732bdec569
Validate the group membership is correct.
PS C:\> Get-MsolGroupMember -GroupObjectId a988084b-8642-4406-b25d-8687b8c509e7
GroupMemberType EmailAddress DisplayName
--------------- ------------ -----------
User tmcmichael@domain.com Timothy McMichael
Group SubGroup0
Using these steps the user can be restored back as a member to the top level group.