適用於群組管理的 Azure Active Directory 第 2 版 CmdletAzure Active Directory version 2 cmdlets for group management

本文包含的範例,會說明如何使用 PowerShell 管理 Azure Active Directory (Azure AD) 中的群組。This article contains examples of how to use PowerShell to manage your groups in Azure Active Directory (Azure AD). 其中也會說明如何使用 Azure AD PowerShell 模組來完成設定。It also tells you how to get set up with the Azure AD PowerShell module. 首先,您必須 下載 Azure AD PowerShell 模組First, you must download the Azure AD PowerShell module.

安裝 Azure AD PowerShell 模組Install the Azure AD PowerShell module

若要安裝 AzureAD PowerShell 模組,請使用下列命令︰To install the Azure AD PowerShell module, use the following commands:

    PS C:\Windows\system32> install-module azuread
    PS C:\Windows\system32> import-module azuread

若要確認此模組已可使用,請使用下列命令︰To verify that the module is ready to use, use the following command:

    PS C:\Windows\system32> get-module azuread

    ModuleType Version      Name                                ExportedCommands
    ---------- ---------    ----                                ----------------
    Binary     2.0.0.115    azuread                      {Add-AzureADAdministrati...}

現在您可以開始在模組中使用 Cmdlet。Now you can start using the cmdlets in the module. 如需有關 Azure AD 模組中各式 Cmdlet 的完整描述,請參閱 Azure Active Directory PowerShell 第 2 版的線上參考文件。For a full description of the cmdlets in the Azure AD module, please refer to the online reference documentation for Azure Active Directory PowerShell Version 2.

連線至目錄Connect to the directory

使用 Azure AD PowerShell Cmdlet 開始管理群組之前,您必須先將 PowerShell 工作階段連線至想要管理的目錄。Before you can start managing groups using Azure AD PowerShell cmdlets, you must connect your PowerShell session to the directory you want to manage. 使用下列命令:Use the following command:

    PS C:\Windows\system32> Connect-AzureAD

Cmdlet 會提示您輸入需要用來存取目錄的認證。The cmdlet prompts you for the credentials you want to use to access your directory. 在此範例中,我們會使用 karen@drumkit.onmicrosoft.com 存取示範目錄。In this example, we are using karen@drumkit.onmicrosoft.com to access the demonstration directory. Cmdlet 將會傳回確認,表示工作階段已成功連線到目錄︰The cmdlet returns a confirmation to show the session was connected successfully to your directory:

    Account                       Environment Tenant
    -------                       ----------- ------
    Karen@drumkit.onmicrosoft.com AzureCloud  85b5ff1e-0402-400c-9e3c-0f…

現在您可以開始使用 AzureAD Cmdlet 來管理您目錄中的群組。Now you can start using the AzureAD cmdlets to manage groups in your directory.

擷取群組Retrieve groups

若要從目錄中擷取現有的群組,請使用 Get-AzureADGroups Cmdlet。To retrieve existing groups from your directory, use the Get-AzureADGroups cmdlet.

若要擷取目錄中的所有群組,請在使用 Cmdlet 時不要使用參數:To retrieve all groups in the directory, use the cmdlet without parameters:

    PS C:\Windows\system32> get-azureadgroup

Cmdlet 將會傳回所連線目錄中的所有群組。The cmdlet returns all groups in the connected directory.

您可以使用 -objectID 參數來擷取您指定其群組 objectID 的特定群組:You can use the -objectID parameter to retrieve a specific group for which you specify the group’s objectID:

    PS C:\Windows\system32> get-azureadgroup -ObjectId e29bae11-4ac0-450c-bc37-6dae8f3da61b

現在,Cmdlet 將傳回 objectID 與您所輸入之參數值相符的群組︰The cmdlet now returns the group whose objectID matches the value of the parameter you entered:

    DeletionTimeStamp            :
    ObjectId                     : e29bae11-4ac0-450c-bc37-6dae8f3da61b
    ObjectType                   : Group
    Description                  :
    DirSyncEnabled               :
    DisplayName                  : Pacific NW Support
    LastDirSyncTime              :
    Mail                         :
    MailEnabled                  : False
    MailNickName                 : 9bb4139b-60a1-434a-8c0d-7c1f8eee2df9
    OnPremisesSecurityIdentifier :
    ProvisioningErrors           : {}
    ProxyAddresses               : {}
    SecurityEnabled              : True

您可以使用 -filter 參數搜尋特定群組。You can search for a specific group using the -filter parameter. 此參數採用 ODATA 篩選子句,並傳回和篩選條件相符的所有群組,如下列範例所示︰This parameter takes an ODATA filter clause and returns all groups that match the filter, as in the following example:

    PS C:\Windows\system32> Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"


    DeletionTimeStamp            :
    ObjectId                     : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
    ObjectType                   : Group
    Description                  : Intune Administrators
    DirSyncEnabled               :
    DisplayName                  : Intune Administrators
    LastDirSyncTime              :
    Mail                         :
    MailEnabled                  : False
    MailNickName                 : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
    OnPremisesSecurityIdentifier :
    ProvisioningErrors           : {}
    ProxyAddresses               : {}
    SecurityEnabled              : True

注意

Azure AD PowerShell Cmdlet 實作 OData 查詢標準。The Azure AD PowerShell cmdlets implement the OData query standard. 如需詳細資訊,請參閱使用 OData 端點的 OData 系統查詢選項中的 $filterFor more information, see $filter in OData system query options using the OData endpoint.

建立群組Create groups

若要在目錄中建立新群組,請使用 New-AzureADGroup Cmdlet。To create a new group in your directory, use the New-AzureADGroup cmdlet. 這個 Cmdlet 會建立名為 “Marketing" 的新安全性群組︰This cmdlet creates a new security group called “Marketing":

    PS C:\Windows\system32> New-AzureADGroup -Description "Marketing" -DisplayName "Marketing" -MailEnabled $false -SecurityEnabled $true -MailNickName "Marketing"

更新群組Update groups

若要更新現有的群組,請使用 Set-AzureADGroup Cmdlet。To update an existing group, use the Set-AzureADGroup cmdlet. 在這個範例中,我們要變更 “Intune Administrators” 群組的 DisplayName 屬性。In this example, we’re changing the DisplayName property of the group “Intune Administrators.” 首先,我們使用 Get-AzureADGroup Cmdlet 找到該群組,然後使用 DisplayName 屬性進行篩選︰First, we’re finding the group using the Get-AzureADGroup cmdlet and filter using the DisplayName attribute:

    PS C:\Windows\system32> Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"


    DeletionTimeStamp            :
    ObjectId                     : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
    ObjectType                   : Group
    Description                  : Intune Administrators
    DirSyncEnabled               :
    DisplayName                  : Intune Administrators
    LastDirSyncTime              :
    Mail                         :
    MailEnabled                  : False
    MailNickName                 : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
    OnPremisesSecurityIdentifier :
    ProvisioningErrors           : {}
    ProxyAddresses               : {}
    SecurityEnabled              : True

接下來,我們要將 Description 屬性變更為新值 “Intune Device Administrators”︰Next, we’re changing the Description property to the new value “Intune Device Administrators”:

    PS C:\Windows\system32> Set-AzureADGroup -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -Description "Intune Device Administrators"

現在,如果我們再次尋找該群組,我們看到 Description 屬性會更新以反映新的值:Now, if we find the group again, we see the Description property is updated to reflect the new value:

```powershell PS C:\Windows\system32> Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"```powershell PS C:\Windows\system32> Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"

DeletionTimeStamp            :
ObjectId                     : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
ObjectType                   : Group
Description                  : Intune Device Administrators
DirSyncEnabled               :
DisplayName                  : Intune Administrators
LastDirSyncTime              :
Mail                         :
MailEnabled                  : False
MailNickName                 : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
OnPremisesSecurityIdentifier :
ProvisioningErrors           : {}
ProxyAddresses               : {}
SecurityEnabled              : True

## Delete groups

To delete groups from your directory, use the Remove-AzureADGroup cmdlet as follows:

```powershell
    PS C:\Windows\system32> Remove-AzureADGroup -ObjectId b11ca53e-07cc-455d-9a89-1fe3ab24566b

管理群組成員資格Manage group membership

新增成員Add members

若要將新成員新增至群組,請使用 Add-AzureADGroupMember Cmdlet。To add new members to a group, use the Add-AzureADGroupMember cmdlet. 此命令會將成員新增至上述範例中所使用的 Intune Administrators 群組︰This command adds a member to the Intune Administrators group we used in the previous example:

    PS C:\Windows\system32> Add-AzureADGroupMember -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -RefObjectId 72cd4bbd-2594-40a2-935c-016f3cfeeeea

我們想要新增成員的群組,其 ObjectID 就是 -ObjectId 參數,而我們想要新增為群組成員的使用者,其 ObjectID 為 -RefObjectId。The -ObjectId parameter is the ObjectID of the group to which we want to add a member, and the -RefObjectId is the ObjectID of the user we want to add as a member to the group.

取得成員Get members

若要取得群組的現有成員,請使用 Get-AzureADGroupMember Cmdlet,如此範例所示︰To get the existing members of a group, use the Get-AzureADGroupMember cmdlet, as in this example:

    PS C:\Windows\system32> Get-AzureADGroupMember -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df

    DeletionTimeStamp ObjectId                             ObjectType
    ----------------- --------                             ----------
                          72cd4bbd-2594-40a2-935c-016f3cfeeeea User
                          8120cc36-64b4-4080-a9e8-23aa98e8b34f User

移除成員Remove members

若要移除先前加入群組的成員,請使用Remove-AzureADGroupMember Cmdlet,如此處所示︰To remove the member we previously added to the group, use the Remove-AzureADGroupMember cmdlet, as is shown here:

    PS C:\Windows\system32> Remove-AzureADGroupMember -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -MemberId 72cd4bbd-2594-40a2-935c-016f3cfeeeea

確認成員Verify members

若要驗證使用者的群組成員資格,請使用 Select-AzureADGroupIdsUserIsMemberOf Cmdlet。To verify the group memberships of a user, use the Select-AzureADGroupIdsUserIsMemberOf cmdlet. 這個 Cmdlet 會將要檢查群組成員資格的使用者,其 ObjectId 以及一份要檢查成員資格的群組清單做為參數。This cmdlet takes as its parameters the ObjectId of the user for which to check the group memberships, and a list of groups for which to check the memberships. 務必要以 “Microsoft.Open.AzureAD.Model.GroupIdsForMembershipCheck” 複雜變數類型的形式提供群組清單,因此我們必須先使用該類型建立一個變數:The list of groups must be provided in the form of a complex variable of type “Microsoft.Open.AzureAD.Model.GroupIdsForMembershipCheck”, so we first must create a variable with that type:

    PS C:\Windows\system32> $g = new-object Microsoft.Open.AzureAD.Model.GroupIdsForMembershipCheck

接下來,我們提供 groupIds 的值,以簽入此複雜變數的 "GroupIds" 屬性︰Next, we provide values for the groupIds to check in the attribute “GroupIds” of this complex variable:

    PS C:\Windows\system32> $g.GroupIds = "b11ca53e-07cc-455d-9a89-1fe3ab24566b", "31f1ff6c-d48c-4f8a-b2e1-abca7fd399df"

現在,如果我們想要檢查 ObjectID 為 72cd4bbd-2594-40a2-935c-016f3cfeeeea 的使用者,是否具有 $g 中任何群組的群組成員資格,我們應該使用︰Now, if we want to check the group memberships of a user with ObjectID 72cd4bbd-2594-40a2-935c-016f3cfeeeea against the groups in $g, we should use:

    PS C:\Windows\system32> Select-AzureADGroupIdsUserIsMemberOf -ObjectId 72cd4bbd-2594-40a2-935c-016f3cfeeeea -GroupIdsForMembershipCheck $g

    OdataMetadata                                                                                                 Value
    -------------                                                                                                  -----
    https://graph.windows.net/85b5ff1e-0402-400c-9e3c-0f9e965325d1/$metadata#Collection(Edm.String)             {31f1ff6c-d48c-4f8a-b2e1-abca7fd399df}

傳回的值就是成員中有這位使用者的群組清單。The value returned is a list of groups of which this user is a member. 您也可以使用 Select-AzureADGroupIdsContactIsMemberOf、Select-AzureADGroupIdsGroupIsMemberOf 或 Select-AzureADGroupIdsServicePrincipalIsMemberOf,在檢查特定群組清單中的連絡人、群組或服務主體成員資格時,採用這個方法You can also apply this method to check Contacts, Groups or Service Principals membership for a given list of groups, using Select-AzureADGroupIdsContactIsMemberOf, Select-AzureADGroupIdsGroupIsMemberOf or Select-AzureADGroupIdsServicePrincipalIsMemberOf

停用您使用者的群組建立Disable group creation by your users

您可以避免非管理使用者建立安全性群組。You can prevent non-admin users from creating security groups. Microsoft Online 目錄服務 (MSODS) 的預設行為是可讓非管理使用者建立群組,無論是否也啟用自助式群組管理 (SSGM)。The default behavior in Microsoft Online Directory Services (MSODS) is to allow non-admin users to create groups, whether or not self-service group management (SSGM) is also enabled. SSGM 設定只會控制 [我的應用程式] 存取面板中的行為。The SSGM setting controls behavior only in the My Apps access panel.

若要停用非管理使用者的群組建立:To disable group creation for non-admin users:

  1. 請確認允許非管理使用者建立群組:Verify that non-admin users are allowed to create groups:

    PS C:\> Get-MsolCompanyInformation | fl UsersPermissionToCreateGroupsEnabled
    
  2. 如果它傳回 UsersPermissionToCreateGroupsEnabled : True,非管理使用者就可以建立群組。If it returns UsersPermissionToCreateGroupsEnabled : True, then non-admin users can create groups. 若要停用這項功能:To disable this feature:

    Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $False
    

管理群組擁有者Manage owners of groups

若要將擁有者新增到群組,請使用 Add-AzureADGroupOwner Cmdlet︰To add owners to a group, use the Add-AzureADGroupOwner cmdlet:

    PS C:\Windows\system32> Add-AzureADGroupOwner -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -RefObjectId 72cd4bbd-2594-40a2-935c-016f3cfeeeea

-ObjectId 參數是我們要新增為擁有者,群組的 ObjectID,為-RefObjectId 使用者或服務主體我們想要新增為群組擁有者的 ObjectID。The -ObjectId parameter is the ObjectID of the group to which we want to add an owner, and the -RefObjectId is the ObjectID of the user or service principal we want to add as an owner of the group.

若要擷取群組的擁有者,請使用 Get AzureADGroupOwner Cmdlet:To retrieve the owners of a group, use the Get-AzureADGroupOwner cmdlet:

    PS C:\Windows\system32> Get-AzureADGroupOwner -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df

Cmdlet 會傳回針對指定的群組擁有者 (使用者和服務主體) 的清單:The cmdlet returns the list of owners (users and service principals) for the specified group:

    DeletionTimeStamp ObjectId                             ObjectType
    ----------------- --------                             ----------
                          e831b3fd-77c9-49c7-9fca-de43e109ef67 User

如果您需要從群組中移除擁有者,請使用 Remove-AzureADGroupOwner Cmdlet:If you want to remove an owner from a group, use the Remove-AzureADGroupOwner cmdlet:

    PS C:\Windows\system32> remove-AzureADGroupOwner -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -OwnerId e831b3fd-77c9-49c7-9fca-de43e109ef67

保留的別名Reserved aliases

當群組建立時,某些端點允許終端使用者指定 mailNickname 或別名,以作為群組電子郵件地址的一部分。When a group is created, certain endpoints allow the end user to specify a mailNickname or alias to be used as part of the email address of the group. 以下的電子郵件別名具有高度權限,只有 Azure AD 全域管理員才能建立使用這些別名的群組。 Groups with the following highly privileged email aliases can only be created by an Azure AD global administrator. 

  • abuseabuse
  • adminadmin
  • administratoradministrator
  • hostmasterhostmaster
  • majordomomajordomo
  • postmasterpostmaster
  • rootroot
  • securesecure
  • securitysecurity
  • ssl-adminssl-admin
  • webmasterwebmaster

群組回寫至內部 (預覽)Group writeback to on-premises (preview)

現在,許多群組仍會在內部部署 Active Directory 中管理。Today, many groups are still managed in on-premises Active Directory. 若要回答要求同步處理雲端群組回到內部部署 Office 365 群組回寫適用於 Azure AD 的功能現已供預覽。To answer requests to sync cloud groups back to on-premise, Office 365 groups writeback feature for Azure AD is now available for preview.

建立並在雲端中管理 office 365 群組。Office 365 groups are created and managed in the cloud. 回寫 」 功能可讓您撰寫回 Office 365 群組作為通訊群組的 Active Directory 樹系安裝 exchange。The writeback capability allows you to write back Office 365 groups as distribution groups to an Active Directory forest with Exchange installed. 與內部部署 Exchange 信箱可以再傳送和接收電子郵件從這些群組的使用者。Users with on-premises Exchange mailboxes can then send and receive emails from these groups. Azure AD 安全性群組或通訊群組,不支援的群組回寫功能。The group writeback feature doesn't support Azure AD security groups or distribution groups.

如需詳細資訊,請參閱文件Azure AD Connect 同步處理服務For more details, please refer to documentation for the Azure AD Connect sync service.

Office 365 群組回寫是 Azure Active directory (Azure AD) 的公開預覽功能,適用於任何付費 Azure AD 授權方案。Office 365 group writeback is a public preview feature of Azure Active Directory (Azure AD) and is available with any paid Azure AD license plan. 關於預覽某些法律資訊,請參閱補充使用條款的 Microsoft Azure 預覽版For some legal information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

後續步驟Next steps

您可以在 Azure Active Directory Cmdlet中找到更多 Azure Active Directory PowerShell 文件。You can find more Azure Active Directory PowerShell documentation at Azure Active Directory Cmdlets.