How to remove users from multiple Azure AD Groups?

Summary

For my customer there were many Modern Team Sites in the tenant. These sites had 4 to 5 users present in the Owners group. These users were added when the sites were originally created by a automated script. But later these users were not needed and must be removed from the Azure AD owners group. The following is the step by step solution and script to remove the users from owners group.

Step by Step Solution

Step # 1 Install PnP.PowerShell and run following command.

# Change your tenant name
Register-PnPAzureADApp -ApplicationName "MyPnPApplication" -Tenant "GOV963094.onmicrosoft.com" -Username admin@GOV963094.onmicrosoft.com -DeviceLogin

The above command will prompt you to provide the device code and user credentials. It will also create PFX and CER certificates in the folder.

You will need to consent to the required permission. The following dialog box will consent the app. Click on Approve.

This created an Azure AD application in your tenant with the permissions for “Group.readWrite.All”, “User.ReadWrite.All”, “AllSites.FullControl”, “Site.FullControl.All” & “User.ReadWrite.All”.

Step # 2

First, create a CSV file named “teamSites.CSV”. Put all the site urls for the team sites.

SiteURL
https://gov963094.sharepoint.com/sites/Test1
https://gov963094.sharepoint.com/sites/Test2

Now execute the following script, modify the users2Remove array according to your users information. The script will read the above CSV file and iterate over each site and remove the users from the Azure AD owners group.


$Users2Remove = (
    "BobK.GOV963094.onmicrosoft.com",
    "DebraB.GOV963094.onmicrosoft.com"
)

$ClientId = "7c244c08-9875-4ffe-b39d-34f9b6853f6b"
$Tenant = "gov963094.onmicrosoft.com" # replace your tenant name

Import-Csv C:\Contoso\teamSites.CSV | 
    ForEach-Object {
        try
        {
            $newSiteUrl = $_.SiteURL
            $newSiteConn = Connect-PnPOnline -ClientId $ClientId -Url $newSiteUrl -Tenant $tenant -CertificatePath 'MyPnPApplication.pfx' -ReturnConnection

            $splitedSiteUrls = $newSiteUrl -split "/"

            $relativeUrl = $splitedSiteUrls[$splitedSiteUrls.Length - 1]

            $owners = Get-PnPAzureADGroupOwner -Identity $relativeUrl 

            foreach($owner in $owners)  
            {          
                if ($owner.UserPrincipalName.Length -gt 0 ) 
                {
                    if ( ( $Users2Remove -contains  $owner.UserPrincipalName ) -eq $true )
                    {
                        Remove-PnPAzureADGroupOwner -Identity $relativeUrl -Users $owner.UserPrincipalName
                    }
                }
            }
        
        }
        catch
        {
            $ErrorMessage = $_.Exception |  Out-String
            Write-Host $("Exception {0}" -f $ErrorMessage);
        }
        finally
        {
            Write-Host $("Disconnecting to {0}" -f $newSiteUrl);
            Disconnect-PnPOnline -Connection $newSiteConn
            Write-Host $("Disconnected to {0}" -f $newSiteUrl);
        }
    }



Conclusion

The above script is an automated ways to remove the users from the owners group from multiple team sites.

About Pankaj

I am a Developer and my linked profile is https://www.linkedin.com/in/pankajsurti/
This entry was posted in PnP.PowerShell. Bookmark the permalink.

1 Response to How to remove users from multiple Azure AD Groups?

  1. Pingback: How to remove SCA users from Site Collection Admins? | Pankaj Surti's Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s