From d1947b32f48a158b8c79ff92bd891e5610e16282 Mon Sep 17 00:00:00 2001 From: Gautam Sheth Date: Sun, 16 Nov 2025 21:39:12 +0200 Subject: [PATCH 1/3] Add MemberObjectId parameter to Remove-PnPAzureADGroupMember and Remove-PnPAzureADGroupOwner cmdlets; update documentation and utility methods for handling directory objects --- documentation/Remove-PnPAzureADGroupMember.md | 36 ++++++++++++++++++- documentation/Remove-PnPAzureADGroupOwner.md | 34 ++++++++++++++++++ .../AzureAD/RemoveAzureADGroupMember.cs | 20 ++++++++--- .../AzureAD/RemoveAzureADGroupOwner.cs | 20 ++++++++--- .../Utilities/Microsoft365GroupsUtility.cs | 16 +++++++++ 5 files changed, 117 insertions(+), 9 deletions(-) diff --git a/documentation/Remove-PnPAzureADGroupMember.md b/documentation/Remove-PnPAzureADGroupMember.md index f77926cad..4a636885c 100644 --- a/documentation/Remove-PnPAzureADGroupMember.md +++ b/documentation/Remove-PnPAzureADGroupMember.md @@ -20,7 +20,11 @@ Removes members from a particular Azure Active Directory group. This can be a se ## SYNTAX ```powershell -Remove-PnPAzureADGroupMember -Identity -Users +Remove-PnPAzureADGroupMember -Identity -Users +``` + +```powershell +Remove-PnPAzureADGroupMember -Identity -MemberObjectId ``` ## DESCRIPTION @@ -36,6 +40,22 @@ Remove-PnPAzureADGroupMember -Identity "Project Team" -Users "john@contoso.onmic Removes the provided two users as members from the Azure Active Directory group named "Project Team" +### EXAMPLE 2 +```powershell +# Remove a nested group by its ObjectId +Remove-PnPAzureADGroupMember -Identity $parentGroupId -MemberObjectId $childGroupId +``` + +Removes the group with ObjectId `$childGroupId` from the group identified by `$parentGroupId`. + +### EXAMPLE 3 +```powershell +# Pipeline by property name (Id) +Get-PnPAzureADGroupMember -Identity $parentGroupId | Where-Object { $_.Id -eq $childGroupId } | Remove-PnPAzureADGroupMember -Identity $parentGroupId +``` + +Pipes a member (group or user) whose `Id` matches `$childGroupId` into the cmdlet and removes it. + ## PARAMETERS ### -Identity @@ -66,6 +86,20 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -MemberObjectId +The ObjectId(s) of directory object(s) (Users or Groups) to remove from the Azure Active Directory group. Use this to remove nested groups that do not have a UPN. + +```yaml +Type: Guid[] +Parameter Sets: MemberObjectId + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + ## RELATED LINKS [Microsoft 365 Patterns and Practices](https://aka.ms/m365pnp) diff --git a/documentation/Remove-PnPAzureADGroupOwner.md b/documentation/Remove-PnPAzureADGroupOwner.md index f1b91a0c8..d5d7e0d11 100644 --- a/documentation/Remove-PnPAzureADGroupOwner.md +++ b/documentation/Remove-PnPAzureADGroupOwner.md @@ -23,6 +23,10 @@ Removes owners from a particular Azure Active Directory group. This can be a sec Remove-PnPAzureADGroupOwner -Identity -Users [-Verbose] ``` +```powershell +Remove-PnPAzureADGroupOwner -Identity -MemberObjectId [-Verbose] +``` + ## DESCRIPTION Allows to remove owners from Azure Active Directory group. @@ -36,6 +40,22 @@ Remove-PnPAzureADGroupOwner -Identity "Project Team" -Users "john@contoso.onmicr Removes the provided two users as owners from the Azure Active Directory group named "Project Team". +### EXAMPLE 2 +```powershell +# Remove an owner by ObjectId +Remove-PnPAzureADGroupOwner -Identity $groupId -MemberObjectId $ownerObjectId +``` + +Removes the owner (user or group) with ObjectId `$ownerObjectId` from the group identified by `$groupId`. + +### EXAMPLE 3 +```powershell +# Pipeline by property name (Id) +Get-PnPAzureADGroupOwner -Identity $groupId | Where-Object { $_.Id -eq $ownerObjectId } | Remove-PnPAzureADGroupOwner -Identity $groupId +``` + +Pipes an owner whose `Id` matches `$ownerObjectId` into the cmdlet and removes it. + ## PARAMETERS ### -Identity @@ -66,6 +86,20 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -MemberObjectId +The ObjectId(s) of directory object(s) (Users or Groups) to remove from the Azure Active Directory group as owners. Use this to remove owners that do not have a UPN. + +```yaml +Type: Guid[] +Parameter Sets: MemberObjectId + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + ## RELATED LINKS [Microsoft 365 Patterns and Practices](https://aka.ms/m365pnp) diff --git a/src/Commands/AzureAD/RemoveAzureADGroupMember.cs b/src/Commands/AzureAD/RemoveAzureADGroupMember.cs index 70a9bbf72..dd62acb64 100644 --- a/src/Commands/AzureAD/RemoveAzureADGroupMember.cs +++ b/src/Commands/AzureAD/RemoveAzureADGroupMember.cs @@ -7,17 +7,22 @@ namespace PnP.PowerShell.Commands.Graph { - [Cmdlet(VerbsCommon.Remove, "PnPAzureADGroupMember")] + [Cmdlet(VerbsCommon.Remove, "PnPAzureADGroupMember", DefaultParameterSetName = "ByUPN")] [RequiredApiDelegatedOrApplicationPermissions("graph/Group.ReadWrite.All")] [Alias("Remove-PnPEntraIDGroupMember")] public class RemoveAzureADGroupMember : PnPGraphCmdlet { - [Parameter(Mandatory = true, ValueFromPipeline = true)] + [Parameter(Mandatory = true, ValueFromPipeline = true, ParameterSetName = "ByUPN")] + [Parameter(Mandatory = true, ValueFromPipeline = true, ParameterSetName = "ByObjectId")] public AzureADGroupPipeBind Identity; - [Parameter(Mandatory = true)] + [Parameter(Mandatory = true, ParameterSetName = "ByUPN")] public string[] Users; + [Parameter(Mandatory = true, ParameterSetName = "ByObjectId", ValueFromPipelineByPropertyName = true)] + [Alias("ObjectId", "Id")] + public System.Guid[] MemberObjectId; + protected override void ExecuteCmdlet() { Group group = null; @@ -29,7 +34,14 @@ protected override void ExecuteCmdlet() if (group != null) { - Microsoft365GroupsUtility.RemoveMembers(GraphRequestHelper, new System.Guid(group.Id), Users); + if (ParameterSetName == "ByUPN" && Users != null && Users.Length > 0) + { + Microsoft365GroupsUtility.RemoveMembers(GraphRequestHelper, new System.Guid(group.Id), Users); + } + else if (ParameterSetName == "ByObjectId" && MemberObjectId != null && MemberObjectId.Length > 0) + { + Microsoft365GroupsUtility.RemoveDirectoryMembers(GraphRequestHelper, new System.Guid(group.Id), MemberObjectId); + } } } } diff --git a/src/Commands/AzureAD/RemoveAzureADGroupOwner.cs b/src/Commands/AzureAD/RemoveAzureADGroupOwner.cs index e0fbec29c..62b1437c2 100644 --- a/src/Commands/AzureAD/RemoveAzureADGroupOwner.cs +++ b/src/Commands/AzureAD/RemoveAzureADGroupOwner.cs @@ -7,17 +7,22 @@ namespace PnP.PowerShell.Commands.Graph { - [Cmdlet(VerbsCommon.Remove, "PnPAzureADGroupOwner")] + [Cmdlet(VerbsCommon.Remove, "PnPAzureADGroupOwner", DefaultParameterSetName = "ByUPN")] [RequiredApiDelegatedOrApplicationPermissions("graph/Group.ReadWrite.All")] [Alias("Remove-PnPEntraIDGroupOwner")] public class RemoveAzureADGroupOwner : PnPGraphCmdlet { - [Parameter(Mandatory = true, ValueFromPipeline = true)] + [Parameter(Mandatory = true, ValueFromPipeline = true, ParameterSetName = "ByUPN")] + [Parameter(Mandatory = true, ValueFromPipeline = true, ParameterSetName = "ByObjectId")] public AzureADGroupPipeBind Identity; - [Parameter(Mandatory = true)] + [Parameter(Mandatory = true, ParameterSetName = "ByUPN")] public string[] Users; + [Parameter(Mandatory = true, ParameterSetName = "ByObjectId", ValueFromPipelineByPropertyName = true)] + [Alias("ObjectId", "Id")] + public System.Guid[] MemberObjectId; + protected override void ExecuteCmdlet() { Group group = null; @@ -29,7 +34,14 @@ protected override void ExecuteCmdlet() if (group != null) { - Microsoft365GroupsUtility.RemoveOwners(GraphRequestHelper, new System.Guid(group.Id), Users); + if (ParameterSetName == "ByUPN" && Users != null && Users.Length > 0) + { + Microsoft365GroupsUtility.RemoveOwners(GraphRequestHelper, new System.Guid(group.Id), Users); + } + else if (ParameterSetName == "ByObjectId" && MemberObjectId != null && MemberObjectId.Length > 0) + { + Microsoft365GroupsUtility.RemoveDirectoryOwners(GraphRequestHelper, new System.Guid(group.Id), MemberObjectId); + } } } } diff --git a/src/Commands/Utilities/Microsoft365GroupsUtility.cs b/src/Commands/Utilities/Microsoft365GroupsUtility.cs index 648897129..ccefe590d 100644 --- a/src/Commands/Utilities/Microsoft365GroupsUtility.cs +++ b/src/Commands/Utilities/Microsoft365GroupsUtility.cs @@ -362,6 +362,22 @@ internal static void RemoveMembers(ApiRequestHelper requestHelper, Guid groupId, RemoveUserFromGroup(requestHelper, "members", groupId, users); } + internal static void RemoveDirectoryMembers(ApiRequestHelper requestHelper, Guid groupId, Guid[] directoryObjects) + { + foreach (var dirObject in directoryObjects) + { + requestHelper.Delete($"v1.0/groups/{groupId}/members/{dirObject}/$ref"); + } + } + + internal static void RemoveDirectoryOwners(ApiRequestHelper requestHelper, Guid groupId, Guid[] directoryObjects) + { + foreach (var dirObject in directoryObjects) + { + requestHelper.Delete($"v1.0/groups/{groupId}/owners/{dirObject}/$ref"); + } + } + private static void RemoveUserFromGroup(ApiRequestHelper requestHelper, string groupName, Guid groupId, string[] users) { foreach (var user in users) From f34b498ac38b43d4124a7be9a6e351e8ae535ac8 Mon Sep 17 00:00:00 2001 From: Gautam Sheth Date: Sun, 16 Nov 2025 21:46:02 +0200 Subject: [PATCH 2/3] Update documentation/Remove-PnPAzureADGroupOwner.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- documentation/Remove-PnPAzureADGroupOwner.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/Remove-PnPAzureADGroupOwner.md b/documentation/Remove-PnPAzureADGroupOwner.md index d5d7e0d11..57c19702a 100644 --- a/documentation/Remove-PnPAzureADGroupOwner.md +++ b/documentation/Remove-PnPAzureADGroupOwner.md @@ -91,7 +91,7 @@ The ObjectId(s) of directory object(s) (Users or Groups) to remove from the Azur ```yaml Type: Guid[] -Parameter Sets: MemberObjectId +Parameter Sets: ByObjectId Required: True Position: Named From 0d8e365e90183066381d6456632777a5af23f843 Mon Sep 17 00:00:00 2001 From: Gautam Sheth Date: Sun, 16 Nov 2025 21:46:10 +0200 Subject: [PATCH 3/3] Update documentation/Remove-PnPAzureADGroupMember.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- documentation/Remove-PnPAzureADGroupMember.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/Remove-PnPAzureADGroupMember.md b/documentation/Remove-PnPAzureADGroupMember.md index 4a636885c..546c776ec 100644 --- a/documentation/Remove-PnPAzureADGroupMember.md +++ b/documentation/Remove-PnPAzureADGroupMember.md @@ -91,7 +91,7 @@ The ObjectId(s) of directory object(s) (Users or Groups) to remove from the Azur ```yaml Type: Guid[] -Parameter Sets: MemberObjectId +Parameter Sets: ByObjectId Required: True Position: Named