How to Copy Group Membership from One User Account to Another Account

Now that Microsoft has confirmed the final retirement of the Azure AD module in mid-October 2025, the pressure is on to find and update scripts used for operational purposes. The time for learning how to use the Microsoft Graph APIs is past. The focus is now on turning knowledge into Graph-powered scripts.

Which brings me to a question about how to copy group membership from one user account to another. It’s the kind of thing that features in many online forums. In this example, the answer is:

Get-AzureADUserMembership -ObjectId {source user object id}|foreach { Add-AzureADGroupMember -ObjectId $_.ObjectId -RefObjectId {new user object id} }

Another example of the art is found here. The point is that copying group membership from one account to another is clearly something that many people do. I can see why this might be so. For instance, you might want to copy group membership from an account to a new joiner’s account to include them in a bunch of teams.

Alas, the Graph is different to Azure AD, and converting a script to perform the task with the cmdlets from the Microsoft Graph PowerShell SDK is not straightforward. Here’s a few things to think about when dealing with Entra ID groups. The set includes Microsoft 365 groups, security groups, mail-enabled security groups, and distribution lists.

Copying All Group Memberships or Just Some

It seems sensible to make someone a member of work-related groups based on the memberships of another user, but what about groups that are not work-related or don’t align with a specific job or operating unit? The groups used by many teams and Viva Engage (Yammer) communities accommodate discussions about topics that are not strictly associated with the business of an organization, and membership of those groups are determined by an individual’s interest rather than what they do.

Marking Work-Related Groups

Sensitivity labels are the obvious answer to mark work-related groups, but that only works if a tenant uses sensitivity labels for container management and assigns specific labels for groups that are not work-related. Sensitivity labels have become more popular over the last few years, but they are only available to tenants with Office 365 E3 or above licenses. A custom attribute could be used, but that requires the organization to ensure that all groups used for work or non-work topics are clearly marked.

Handling Dynamic Entra ID Groups

Dynamic Entra ID groups use membership rules based on account properties to calculate group membership. It’s very possible to extract the membership rule for a dynamic Entra ID group and figure out what properties to update to add someone to the membership of a dynamic group, but the risk exists that such an update might interfere with the membership rules of other dynamic groups.

Exchange Distribution Lists

Exchange distribution lists are replicated from Exchange to Entra ID, meaning that when a cmdlet runs to find Entra ID groups, the set returned includes distribution lists. Mail-enabled security groups are a form of distribution list. If you want to copy the membership of mail-enabled security groups and regular distribution lists, you’ll need to do this with Exchange Online cmdlets instead of Microsoft Graph PowerShell SDK cmdlets.

Dynamic distribution lists are not replicated from Exchange Online to Entra ID, so the Graph PowerShell SDK cmdlets ignore these objects. If you want to copy membership to dynamic distribution lists, you’ll need to update mailbox properties to match the OPATH queries used by dynamic distribution lists.

Selecting the Right Cmdlet to Copy Group Membership

The Microsoft Graph PowerShell SDK has two cmdlets to fetch memberships held by a user. The Get-MgUserMemberGroup cmdlet performs a transitive lookup to return a set of identifiers for the groups that an account belongs to. The SecurityEnabledOnly switch parameter determines if the cmdlet returns only security-enabled groups or all groups:

[array]$Groups = Get-MgUserMemberGroup -UserId $User.Id -SecurityEnabledOnly:$false

The Get-MgUserMemberOf cmdlet returns groups, administrative roles, and administrative units (including dynamic administrative units) that a user is a member of. In other words, the objects fetched by the cmdlet must be filtered to extract the objects of interest. This command shows how to apply a client-side filter to find groups that don’t use dynamic membership:

[array]$Groups = Get-MgUserMemberOf -UserId $User.Id -All -PageSize 500 | `
    Where-Object {
        ($_.additionalProperties.'@odata.type' -eq '#microsoft.graph.group') -and
        (
            -not ($_.additionalProperties.groupTypes -contains "DynamicMembership")
        )
    } | Select-Object -ExpandProperty Id
If ($null -eq $SourceGroups) {
    Write-Host "No groups found for user $($SourceUser.DisplayName)." -ForegroundColor Yellow
    Break
}

The Get-MgUserMemberOf cmdlet is often preferable because it returns more than a simple list of group identifiers. As you can see from the example above, because the cmdlet deals with different object types, the additionalProperties property contains data that is of value to find specific groups.

An Example Script

A working example is usually helpful to demonstrate how to put principles into action. I’ve written a script that’s downloadable from GitHub to show how to fetch the set of groups from one account and copy the membership to another. The script (Figure 1) includes code to handle the different types of Entra ID groups and to check that it only attempts to add groups that a user isn’t already a member of. It’s enough to serve as the basis for a solution that might meet the needs of your tenant. I’ll let you make the decision about enhancements, such as removing the membership of the source user as groups are processed.

If you need more help to convert old Azure AD scripts, why not invest in a copy of the Automating Microsoft 365 with PowerShell eBook? It includes a bunch of useful examples like those above. The book is available separately or as part of the Office 365 for IT Pros eBook bundle.