Dot Net Mafia

Group site for developer blogs dealing with (usually) Ionic, .NET, SharePoint, Office 365, Mobile Development, and other Microsoft products, as well as some discussion of general programming related concepts.

This Blog



Corey Roth [MVP]

A SharePoint MVP bringing you the latest time saving tips for Ionic, SharePoint, and Office 365.

How to: Use PowerShell to Create and Manage Users and Groups in SharePoint Online

I have an upcoming talk at TechEd 2014 and part of it will be spent showing you how you can manage users with PowerShell in SharePoint Online.  I thought, I would give a little preview and show you some of the ways you can manage users.  If you are using Office 365, this post will get you started, creating, deleting, and adding users to groups.   You'll also learn how to set permissions on groups as well as promote site collection administrators.  You'll need to install SharePoint Online Management Shell, if you haven't already. 

Get started by opening a session using Connect-SPOService and the full URL to the admin site of your tenant.  You can see my first SharePoint Online PowerShell post for the syntax.

You'll need to know the URL to the site collection you are working with for all of these commands. 

Getting a list of users

We can start by getting a simple list of all users on a site using Get-SPOUser.

Get-SPOUser -Site


This will give you a list of all users, the login name, and what groups each user belongs to.  If you look all the way down the list, you'll even notice some internal hidden users such as the cache, crawl, and system accounts.


Even with a small list, you'll notice that this cmdlet takes a while to execute.  You can filter it by specifying a specific user or group.  For example, to retrieve the user information for our user, Sara Davis, we use the same cmdlet with the -LoginName parameter.  Keep in mind you have to specify the full login name.

Get-SPOUser -Site -LoginName


To view all of the users in a group, use the -Group parameter.

Get-SPOUser -Site - Group "My Group"


You'll notice there are not any commands to add new users.  Those are handles at the Office 365 level.  If the user requires a brand new account, you create the user there and then add them to the appropriate groups.

Getting a list of groups

We can retrieve a list of groups on a given site using Get-SPOSiteGroup.

Get-SPOSiteGroup -SiteName


This will show you the name of the group, the roles of the group, and what users are in it.  You may want to use FormatTable to make the results easier to read.

Get-SPOSiteGroup -SiteName | FT Title, Roles -AutoSize


You can also request a specific group by name, with the -Group parameter

Get-SPOSiteGroup -SiteName -Group "My Group"


Creating a group

To create a Group, we use the New-SPOSiteGroup cmdlet.  You will need to pass the name of the group using the -Group parameter as well as the site collection.  In the -PermissionLevels attribute, you pass the name of a known permission level such as Contribute, Design, or Full Control.

New-SPOSiteGroup -Site -Group "Group Name" -PermissionLevels "Contribute"


This cmdlet tends to take a while.  Once it's done, it will return information about your group.  If you assign the return value of this cmdlet to a variable, you can then pass it to Add-SPOUser to add a user to the group.

Adding a user to a group

Once you create a group, you will probably want to add a user to it.  We can do that with Add-SPOUser.

Add-SPOUser -Site -Group "Group Name" -LoginName


Using Get-SPOUser, like we showed earlier, we can verify our new users is in the group.


Removing a user from a group

As you might guess, removing a user from a group takes the same three parameters with the Remove-SPOUser cmdlet.  However, the Group is optional.  Include it to remove the user from a specific group or omit it to remove the user from the site entirely.

Remove-SPOUser -Site -Group "Group Name" -LoginName


When successful, no output will be returned.

Adding a permission level to a group

To change permissions on a group, we use the Set-SPOSiteGroup  To add a permission level to a group, use the -PermissionLevelsToAdd parameter.  Note this cmdlet uses the -Identity parameter instead of -Group.

Set-SPOSiteGroup SPOUser -Site -Identity "Group Name" -PermissionLevelsToAdd "Design"


Removing a permission level from a group

We can also use Set-SPOSiteGroup to remove a permission level as well using the -PermissionLevelsToRemove parameter.

Set-SPOSiteGroup SPOUser -Site -Identity "Group Name" -PermissionLevelsToRemove "Contribute"


You can also use Set-SPOSiteGroup to rename it with the -Name parameter as well as change the owner with the -Owner parameter.

Removing a group

To remove the group, use the Remove-SPOSiteGroup.  For some reason, this cmdlet uses the -Identity parameter instead of -Group so pass the name there.

Remove-SPOSiteGroup SPOUser -Site -Identity "Group Name"


Make a user a site collection administrator

We can give users site collection administrator rights, but the functionality is buried in Set-SPOUser.  Set the -IsSiteCollectionAdmin command to $true to make the user a site collection administrator.

Set-SPOUser -Site -Group "Group Name" -LoginName -IsSiteCollectionAdmin $true


To remove site collection administrator rights, simple set IsSiteCollectionAdmin to $false.

Get a list of site collection administrators

If you want to see who all of the site collection administrators are, you can find the value on the IsSiteAdmin property of the user object returned from Get-SPOUser.  You just have to display it.  In the example below, we select the column using Format-Table (ft).


We'll be covering this and a lot more at my PowerShell talk at TechEd next week.  If you are there, be sure and attend.



SharePoint 2013: Recopilatorio de enlaces interesantes (XXXIII)! | Pasi??n por la tecnolog??a... said:

Pingback from  SharePoint 2013: Recopilatorio de enlaces interesantes (XXXIII)! | Pasi??n por la tecnolog??a...

June 1, 2014 3:18 AM

Blog de Juan Carlos González en Geeks.MS said:

Mes nuevo y nuevo recopilatorio de enlaces interesantes sobre SharePoint 2013. En esta ocasión

June 1, 2014 3:21 AM

Linkapalooza: May 7, 2014 « SDTimes said:

Pingback from  Linkapalooza: May 7, 2014 « SDTimes

July 8, 2014 10:17 PM

Mark said:

I wish I can run this on my SP2013 on-premise...

August 14, 2014 4:42 AM

Tyler said:

Any idea how to create user profiles for licensed users via powershell or CSOM?  It seems like this should happen when DirSync runs, but that has not been our experience.  

September 8, 2014 12:27 PM

José Luis cuesta said:

In office 365 with SharePoint 2013...

How to create groups to sharepoint site and add permission level using powershell?

Using 'New-SPOSiteGroup ', 'Set or 'Get' the error is 'The site "mysite..." is not properly formed'

Where is the problem?

November 26, 2014 11:55 AM

Abhishek Gupta said:

Hi, Its a nice article, but have a query. The groups which are shown in your first example are getting trimmed down and we can just see "...", is there any way --

a) To get all the group names in detail for each user

b) how to Exclude default groups

June 10, 2015 7:14 AM

Exporting a SharePoint Group to Excel without PowerShell - Concurrency, Inc. said:

Pingback from  Exporting a SharePoint Group to Excel without PowerShell - Concurrency, Inc.

November 2, 2015 4:42 PM

Exporting SharePoint Group Members to Excel Without PowerShell | Drew Madelung said:

Pingback from  Exporting SharePoint Group Members to Excel Without PowerShell | Drew Madelung

January 26, 2016 9:50 AM

Leave a Comment


About CoreyRoth

Corey Roth is an independent SharePoint consultant specializing in ECM, Apps, and Search.
2018 dotnetmafia.
Powered by Community Server (Non-Commercial Edition), by Telligent Systems