用于组管理的 Azure Active Directory 版本 2 cmdletAzure Active Directory version 2 cmdlets for group management

本文包含有关如何使用 PowerShell 在 Azure Active Directory (Azure AD) 中管理组的示例。This article contains examples of how to use PowerShell to manage your groups in Azure Active Directory (Azure AD). 此外,本文还介绍如何安装 Azure AD PowerShell 模块。It also tells you how to get set up with the Azure AD PowerShell module. 首先,必须下载 Azure AD PowerShell 模块First, you must download the Azure AD PowerShell module.

安装 Azure AD PowerShell 模块Install the Azure AD PowerShell module

若要安装 Azure AD PowerShell 模块,请使用以下命令:To install the Azure AD PowerShell module, use the following commands:

PS C:\Windows\system32> install-module azuread
PS C:\Windows\system32> import-module azuread

若要验证模块是否可供使用,请运行下面的命令:To verify that the module is ready to use, use the following command:

PS C:\Windows\system32> get-module azuread

ModuleType Version      Name                                ExportedCommands
---------- ---------    ----                                ----------------
Binary     2.0.0.115    azuread                      {Add-AzureADAdministrati...}

现在可以开始使用模块中的 cmdlet 了。Now you can start using the cmdlets in the module. 有关 Azure AD 模块中 cmdlet 的完整说明,请参阅 Azure Active Directory PowerShell 版本 2 的联机参考文档。For a full description of the cmdlets in the Azure AD module, please refer to the online reference documentation for Azure Active Directory PowerShell Version 2.

连接到目录Connect to the directory

在开始使用 Azure AD PowerShell cmdlet 管理组之前,必须将 PowerShell 会话连接到要管理的目录。Before you can start managing groups using Azure AD PowerShell cmdlets, you must connect your PowerShell session to the directory you want to manage. 请使用以下命令:Use the following command:

PS C:\Windows\system32> Connect-AzureAD -AzureEnvironmentName AzureChinaCloud

该 cmdlet 会提示用户输入访问目录时需要使用的凭据。The cmdlet prompts you for the credentials you want to use to access your directory. 在此示例中,我们将使用 karen@drumkit.partner.onmschina.cn 访问演示目录。In this example, we are using karen@drumkit.partner.onmschina.cn to access the demonstration directory. 该 cmdlet 会返回一个确认,表明会话已成功连接到目录:The cmdlet returns a confirmation to show the session was connected successfully to your directory:

Account                       Environment Tenant
-------                       ----------- ------
Karen@drumkit.partner.onmschina.cn AzureChinaCloud  85b5ff1e-0402-400c-9e3c-0f…

现在可以开始使用 AzureAD cmdlet 管理目录中的组。Now you can start using the AzureAD cmdlets to manage groups in your directory.

检索组Retrieve groups

若要从目录中检索现有组,请使用 Get-AzureADGroups cmdlet。To retrieve existing groups from your directory, use the Get-AzureADGroups cmdlet.

若要检索目录中的所有组,请使用不带参数的 cmdlet:To retrieve all groups in the directory, use the cmdlet without parameters:

PS C:\Windows\system32> get-azureadgroup

该 cmdlet 会返回已连接目录中的所有组。The cmdlet returns all groups in the connected directory.

可以使用 -objectID 参数检索已指定组 objectID 的特定组:You can use the -objectID parameter to retrieve a specific group for which you specify the group’s objectID:

PS C:\Windows\system32> get-azureadgroup -ObjectId e29bae11-4ac0-450c-bc37-6dae8f3da61b

该 cmdlet 现在会返回其 objectID 与用户输入的参数值匹配的组:The cmdlet now returns the group whose objectID matches the value of the parameter you entered:

DeletionTimeStamp            :
ObjectId                     : e29bae11-4ac0-450c-bc37-6dae8f3da61b
ObjectType                   : Group
Description                  :
DirSyncEnabled               :
DisplayName                  : Pacific NW Support
LastDirSyncTime              :
Mail                         :
MailEnabled                  : False
MailNickName                 : 9bb4139b-60a1-434a-8c0d-7c1f8eee2df9
OnPremisesSecurityIdentifier :
ProvisioningErrors           : {}
ProxyAddresses               : {}
SecurityEnabled              : True

可以使用 -filter 参数搜索特定组。You can search for a specific group using the -filter parameter. 此参数采用 ODATA 筛选器子句,并返回与筛选器匹配的所有组,如以下示例所示:This parameter takes an ODATA filter clause and returns all groups that match the filter, as in the following example:

PS C:\Windows\system32> Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"


DeletionTimeStamp            :
ObjectId                     : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
ObjectType                   : Group
Description                  : Intune Administrators
DirSyncEnabled               :
DisplayName                  : Intune Administrators
LastDirSyncTime              :
Mail                         :
MailEnabled                  : False
MailNickName                 : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
OnPremisesSecurityIdentifier :
ProvisioningErrors           : {}
ProxyAddresses               : {}
SecurityEnabled              : True

Note

Azure AD PowerShell cmdlet 实现 OData 查询标准。The Azure AD PowerShell cmdlets implement the OData query standard. 有关详细信息,请参阅使用 OData 终结点的 OData 系统查询选项中的 $filter 。For more information, see $filter in OData system query options using the OData endpoint.

创建组Create groups

若要在目录中创建新的组,可使用 New-AzureADGroup cmdlet。To create a new group in your directory, use the New-AzureADGroup cmdlet. 此 cmdlet 创建名为“Marketing”的新安全组:This cmdlet creates a new security group called “Marketing":

PS C:\Windows\system32> New-AzureADGroup -Description "Marketing" -DisplayName "Marketing" -MailEnabled $false -SecurityEnabled $true -MailNickName "Marketing"

更新组Update groups

若要更新现有组,请使用 Set-AzureADGroup cmdlet。To update an existing group, use the Set-AzureADGroup cmdlet. 在此示例中,我们将更改“Intune 管理员”组的 DisplayName 属性。In this example, we’re changing the DisplayName property of the group “Intune Administrators.” 首先,我们发现使用 Get-AzureADGroup cmdlet 的组和使用 DisplayName 属性的筛选器:First, we’re finding the group using the Get-AzureADGroup cmdlet and filter using the DisplayName attribute:

PS C:\Windows\system32> Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"


DeletionTimeStamp            :
ObjectId                     : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
ObjectType                   : Group
Description                  : Intune Administrators
DirSyncEnabled               :
DisplayName                  : Intune Administrators
LastDirSyncTime              :
Mail                         :
MailEnabled                  : False
MailNickName                 : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
OnPremisesSecurityIdentifier :
ProvisioningErrors           : {}
ProxyAddresses               : {}
SecurityEnabled              : True

接下来,我们会将“说明”属性更改为新值“Intune 设备管理员”:Next, we’re changing the Description property to the new value “Intune Device Administrators”:

PS C:\Windows\system32> Set-AzureADGroup -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -Description "Intune Device Administrators"

现在如果再次查找该组,我们就会发现,“说明”属性已用新值更新:Now if we find the group again, we see the Description property is updated to reflect the new value:

PS C:\Windows\system32> Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"


DeletionTimeStamp            :
ObjectId                     : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
ObjectType                   : Group
Description                  : Intune Device Administrators
DirSyncEnabled               :
DisplayName                  : Intune Administrators
LastDirSyncTime              :
Mail                         :
MailEnabled                  : False
MailNickName                 : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
OnPremisesSecurityIdentifier :
ProvisioningErrors           : {}
ProxyAddresses               : {}
SecurityEnabled              : True

删除组Delete groups

若要从目录中删除组,请使用 Remove-AzureADGroup cmdlet,如下所示:To delete groups from your directory, use the Remove-AzureADGroup cmdlet as follows:

PS C:\Windows\system32> Remove-AzureADGroup -ObjectId b11ca53e-07cc-455d-9a89-1fe3ab24566b

管理组成员身份Manage group membership

添加成员Add members

若要向组添加新成员,请使用 Add-AzureADGroupMember cmdlet。To add new members to a group, use the Add-AzureADGroupMember cmdlet. 该命令将成员添加到我们在上一示例中使用的“Intune 管理员”组:This command adds a member to the Intune Administrators group we used in the previous example:

PS C:\Windows\system32> Add-AzureADGroupMember -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -RefObjectId 72cd4bbd-2594-40a2-935c-016f3cfeeeea

ObjectId 参数是要将成员添加到的组的 ObjectID,-RefObjectId 是要作为成员添加到组的用户的 ObjectID。The -ObjectId parameter is the ObjectID of the group to which we want to add a member, and the -RefObjectId is the ObjectID of the user we want to add as a member to the group.

获取成员Get members

若要获取组的现有成员,请使用 Get-AzureADGroupMember cmdlet,如以下示例所示:To get the existing members of a group, use the Get-AzureADGroupMember cmdlet, as in this example:

PS C:\Windows\system32> Get-AzureADGroupMember -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df

DeletionTimeStamp ObjectId                             ObjectType
----------------- --------                             ----------
                      72cd4bbd-2594-40a2-935c-016f3cfeeeea User
                      8120cc36-64b4-4080-a9e8-23aa98e8b34f User

删除成员Remove members

若要删除我们以前添加到组的成员,请使用 Remove-AzureADGroupMember cmdlet,如下所示:To remove the member we previously added to the group, use the Remove-AzureADGroupMember cmdlet, as is shown here:

PS C:\Windows\system32> Remove-AzureADGroupMember -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -MemberId 72cd4bbd-2594-40a2-935c-016f3cfeeeea

验证成员Verify members

若要验证用户的组成员身份,请使用 Select-AzureADGroupIdsUserIsMemberOf cmdlet。To verify the group memberships of a user, use the Select-AzureADGroupIdsUserIsMemberOf cmdlet. 该 cmdlet 使用用户的 ObjectId 作为参数,以便检查组成员身份;同时使用组列表作为参数来检查成员身份。This cmdlet takes as its parameters the ObjectId of the user for which to check the group memberships, and a list of groups for which to check the memberships. 组列表必须以类型为“Microsoft.Open.AzureAD.Model.GroupIdsForMembershipCheck”的复合变量形式提供,因此必须先创建该类型的变量:The list of groups must be provided in the form of a complex variable of type “Microsoft.Open.AzureAD.Model.GroupIdsForMembershipCheck”, so we first must create a variable with that type:

PS C:\Windows\system32> $g = new-object Microsoft.Open.AzureAD.Model.GroupIdsForMembershipCheck

接下来提供可在该复合变量的“GroupIds”属性中查看的 groupIds 的值:Next, we provide values for the groupIds to check in the attribute “GroupIds” of this complex variable:

PS C:\Windows\system32> $g.GroupIds = "b11ca53e-07cc-455d-9a89-1fe3ab24566b", "31f1ff6c-d48c-4f8a-b2e1-abca7fd399df"

现在,如果我们需要针对 $g 中的组查看 ObjectID 为 72cd4bbd-2594-40a2-935c-016f3cfeeeea 的用户的组成员身份,则应使用:Now, if we want to check the group memberships of a user with ObjectID 72cd4bbd-2594-40a2-935c-016f3cfeeeea against the groups in $g, we should use:

PS C:\Windows\system32> Select-AzureADGroupIdsUserIsMemberOf -ObjectId 72cd4bbd-2594-40a2-935c-016f3cfeeeea -GroupIdsForMembershipCheck $g

OdataMetadata                                                                                                 Value
-------------                                                                                                  -----
https://graph.chinacloudapi.cn/85b5ff1e-0402-400c-9e3c-0f9e965325d1/$metadata#Collection(Edm.String)             {31f1ff6c-d48c-4f8a-b2e1-abca7fd399df}

返回的值是该用户所在组的列表。The value returned is a list of groups of which this user is a member. 也可通过 Select-AzureADGroupIdsContactIsMemberOf、Select-AzureADGroupIdsGroupIsMemberOf 或 Select-AzureADGroupIdsServicePrincipalIsMemberOf 应用此方法,检查特定组列表的联系人、组或服务主体成员身份You can also apply this method to check Contacts, Groups or Service Principals membership for a given list of groups, using Select-AzureADGroupIdsContactIsMemberOf, Select-AzureADGroupIdsGroupIsMemberOf or Select-AzureADGroupIdsServicePrincipalIsMemberOf

禁止用户创建组Disable group creation by your users

可以禁止非管理员用户创建安全组。You can prevent non-admin users from creating security groups. Microsoft Online Directory Services (MSODS) 的默认行为是允许非管理员用户创建组,无论是否还启用了自助服务组管理 (SSGM)。The default behavior in Microsoft Online Directory Services (MSODS) is to allow non-admin users to create groups, whether or not self-service group management (SSGM) is also enabled. SSGM 设置仅控制“我的应用”访问面板中的行为。The SSGM setting controls behavior only in the My Apps access panel.

若要对非管理员用户禁用组创建,请执行以下操作:To disable group creation for non-admin users:

  1. 验证是否允许非管理员用户创建组:Verify that non-admin users are allowed to create groups:

    PS C:\> Get-MsolCompanyInformation | fl UsersPermissionToCreateGroupsEnabled
    
  2. 如果它返回 UsersPermissionToCreateGroupsEnabled : True,则非管理员用户可以创建组。If it returns UsersPermissionToCreateGroupsEnabled : True, then non-admin users can create groups. 若要禁用此功能,请执行以下操作:To disable this feature:

    Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $False
    

管理组的所有者Manage owners of groups

若要向组添加所有者,请使用 Add-AzureADGroupOwner cmdlet:To add owners to a group, use the Add-AzureADGroupOwner cmdlet:

PS C:\Windows\system32> Add-AzureADGroupOwner -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -RefObjectId 72cd4bbd-2594-40a2-935c-016f3cfeeeea

-ObjectId 参数是要将所有者添加到的组的 ObjectID,-RefObjectId 是要作为组所有者添加的用户或服务主体的 ObjectID。The -ObjectId parameter is the ObjectID of the group to which we want to add an owner, and the -RefObjectId is the ObjectID of the user or service principal we want to add as an owner of the group.

若要检索组的所有者,请使用 Get-AzureADGroupOwner cmdlet:To retrieve the owners of a group, use the Get-AzureADGroupOwner cmdlet:

PS C:\Windows\system32> Get-AzureADGroupOwner -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df

该 cmdlet 将返回指定组的所有者(用户和服务主体)的列表:The cmdlet returns the list of owners (users and service principals) for the specified group:

DeletionTimeStamp ObjectId                             ObjectType
----------------- --------                             ----------
                      e831b3fd-77c9-49c7-9fca-de43e109ef67 User

若需从组中删除所有者,请使用 Remove-AzureADGroupOwner cmdlet:If you want to remove an owner from a group, use the Remove-AzureADGroupOwner cmdlet:

PS C:\Windows\system32> remove-AzureADGroupOwner -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -OwnerId e831b3fd-77c9-49c7-9fca-de43e109ef67

保留的别名Reserved aliases

创建组后,某些终结点允许最终用户指定一个 mailNickname 或别名,用作组的电子邮件地址的一部分。When a group is created, certain endpoints allow the end user to specify a mailNickname or alias to be used as part of the email address of the group. 仅 Azure AD 全局管理员可以创建具有以下权限较高的电子邮件别名的组。 Groups with the following highly privileged email aliases can only be created by an Azure AD global administrator. 

  • abuseabuse
  • adminadmin
  • administratoradministrator
  • hostmasterhostmaster
  • majordomomajordomo
  • postmasterpostmaster
  • rootroot
  • securesecure
  • securitysecurity
  • ssl-adminssl-admin
  • webmasterwebmaster

后续步骤Next steps

如需更多 Azure Active Directory PowerShell 文档,可参阅 Azure Active Directory CmdletYou can find more Azure Active Directory PowerShell documentation at Azure Active Directory Cmdlets.