Adding M365 Group/Teams Owners and Members to SharePoint Group with PnP PowerShell
Introduction
There are situations where you might want to reuse the M365 Group principals to assign permissions to other sites without creating additional Entra ID groups. This can be useful for:
- Adding M365 group members to a SharePoint site, such as an intranet site for ‘Human Resources’ managed by the ‘Human Resources’ M365 Group/Teams or a hub site managed by a ‘Service Desk’ M365 Group/Teams.
- Adding M365 group members to custom or out-of-the-box SharePoint groups, such as adding particular M365 group owners or members to custom groups created for additional libraries within a different site.
I had a specific requirement to add M365 group owners to a custom SharePoint group to grant full control to the library and allow self-management of the custom SharePoint Group membership. Unfortunately, only one person or group can be specified in the SharePoint group settings.
Adding the M365 Group owners within the custom SharePoint Group helps to get around this issue.
The claims of the M365 group use the prefix c:0o.c|federateddirectoryclaimprovider:
c:0o.c|federateddirectoryclaimprovider|{M365Guid}: Represents the Microsoft 365 group members.
c:0o.c|federateddirectoryclaimprovider|{M365Guid}_o: Represents the Microsoft 365 group owners.
While M365 members can easily be added back using the user interface, adding back the M365 Owners group is more challenging.
Sample Script
This sample script adds specific M365 group owners or members to custom groups created for additional libraries within a different site. The claims of the M365 group are built using:
- M365 Group Owners:
c:0o.c|federateddirectoryclaimprovider|{M365Guid}_o - M365 Group Members:
c:0o.c|federateddirectoryclaimprovider|{M365Guid}
param (
[Parameter(Mandatory = $true)]
[string] $siteUrl
)
Connect-PnPOnline -url $siteUrl
$siteTitle = (Get-PnPWeb | Select-Object Title).Title
$config = @{
libraries = @(
@{
title= "IT & CS Collaboration"
owners = @(
'TestUser1@reshmeeauckloo.onmicrosoft.com'
)
m365Owners = @(
"$siteTitle")
m365Members = @(
'ServiceDelivery')
}
@{
title= "SD & CS Collaboration"
owners = @(
'TestUser2@reshmeeauckloo.onmicrosoft.com'
)
m365Owners = @(
"$siteTitle")
m365Members = @(
'InformationTechnology')
}
)
}
function Configure-LibraryPermissions($lib) {
Set-PnPList -Identity $lib.title -BreakRoleInheritance | out-null -ErrorAction SilentlyContinue
function Create-Group($title, $perm, $desc) {
$groupExist = get-pnpgroup -Identity $title -ErrorAction SilentlyContinue
if (!$groupExist) {
New-PnPGroup -Title $title -Owner "$siteTitle Owners" -Description $desc | Out-Null
Write-Host "Created $title group"
}
# Add group to list as Edit
Set-PnPListPermission -Identity $lib.title -Group $title -AddRole $perm | Out-Null
# Remove group from site permissions
Set-PnPWebPermission -Group $title -RemoveRole 'Read' -ErrorAction SilentlyContinue | Out-Null
}
$safeLibTitle = $lib.title -replace '["\/\\\[\]:\|<>\+=;,\?\*''@]', ''
# Create Owners group
if ($lib.owners -ne $null -and $lib.owners.Length -gt 0) {
Create-Group "$safeLibTitle Owners" 'Full Control' "Control access to the $($lib.title) library."
$lib.owners | ForEach-Object {
Add-PnPGroupMember -Group "$safeLibTitle Owners" -LoginName $_ | Out-Null
Write-Host "Added $_ to $safeLibTitle Owners"
}
$lib.m365Owners | ForEach-Object {
$m365GroupId = (Get-PnPMicrosoft365Group -Identity $_ ).Id
$m365GroupOwnerClaims = "c:0o.c|federateddirectoryclaimprovider|{0}_o" -f $m365GroupId.Guid.ToString()
Add-PnPGroupMember -Group "$safeLibTitle Owners" -LoginName $m365GroupOwnerClaims | Out-Null
Write-Host "Added $_ to $safeLibTitle Owners"
}
$lib.m365Members | ForEach-Object {
$m365GroupId = (Get-PnPMicrosoft365Group -Identity $_ ).Id
$m365GroupMemberClaims = "c:0o.c|federateddirectoryclaimprovider|{0}" -f $m365GroupId.Guid.ToString()
Add-PnPGroupMember -Group "$safeLibTitle Owners" -LoginName $m365GroupMemberClaims | Out-Null
Write-Host "Added $_ to $safeLibTitle Owners"
}
}
}
$config.libraries | ForEach-Object {
Configure-LibraryPermissions $_
}
Description of the script
The script defines a configuration object that specifies the libraries, owners, M365 group owners, and M365 group members to be added to the custom SharePoint groups for the libraries. These custom SharePoint groups have limited access at the site level and full control at the specific libraries.
The Configure-LibraryPermissions function is defined to handle the creation of custom SharePoint groups and the assignment of permissions.
After running the script, navigate to <siteUrl>/_layouts/15/groups.aspx to see the newly created sites.
Notes
- Only M365 Group Owners of the existing site can be added to SharePoint Groups. Adding the M365 Group owners of a different team results in the M365 members being added.
new-pnpuser -loginName "c:0o.c|federateddirectoryclaimprovider|aacf84bf-6aa3-449a-8655-4cb6f3ebe030_o"
- Attempting to add M365 Group by email fails
Add-PnPGroupMember -Group "$safeLibTitle Owners" -LoginName it@reshmeeauckloo.onmicrosoft.com
Add-PnPGroupMember: The specified user i:0#.f|membership|it@reshmeeauckloo.onmicrosoft.com could not be found.
though new-pnpuser -LoginName "it@reshmeeauckloo.onmicrosoft.com" succeeds
- The Site M365 Group Owners is visible
https://reshmeeauckloo.sharepoint.com/sites/LargeLibrary/_layouts/15/people.aspx?MembershipGroupId=0
Conclusion
Reusing M365 Group members can help streamlining permisison management reducing reliance on Entra IDs.
References
SharePoint Restoring Owners Groups https://learn.microsoft.com/en-us/sharepoint/dev/transform/modernize-connect-to-office365-group-permissions