@Tony Redmond One reason is if you -- like me -- are developing hosted services for use in a client's tenant and must use graph API calls to accomplish tasks like this because your code does not run within the client's network.

@doughorton That's fair and a good reason. Another good reason is when you must deal with hundreds or even thousands of groups as Graph-based code will be much faster to process these objects than PowerShell will ever be. My comment still holds true in many other cases when PowerShell can do a job without the need to write any Graph code. 

Hi There I know this is an old thread but I am trying to create a Unified Group using Certificate based Authentication, I tried using ExchangeOnlineManagement Module, but apparently this doesn't work when you to use New-UnifiedGroup using CBA (Known Issue) so I tried using the Microsoft.Graph.Group Module using CBA to create the Unified Group, this created the Group, but I need to be able to Set the Primary Email address as well and cannot see a way to set this in the Microsoft.Graph.Group.
Do you know if there is a way to Set this via MS.Graph ?

@SteveCox 

 

If you set the MailNickname property when running New-MgGroup and the group is mail enabled, the MailNickname becomes the root of the primarySmtpAddress.

 

$Group=New-MgGroup -DisplayName "March 2023 Sales Operations Team" -GroupTypes Unified -MailNickName March.2023.Sales.Operations -MailEnabled:$True -SecurityEnabled:$False -Description "A group for Sales Operation management"

 

Get-unifiedgroup -Identity $Group.Id | fl primarysmtpaddress

PrimarySmtpAddress : Email address removed

Hi Tony Thanks for the info what I need is to be able to Set the Primary to @company.co.uk instead of the Default @company.onmicrosoft.com would be simple if I could just set this up using New-UnifiedGroup but doesn't work with CBA. Tried Setting it this way
$groupid = "Steve test automation2"

$params = @{
Description = "External - Steve-test-automation2"
DisplayName = "Steve test automation2"
GroupTypes = @(
"Unified"
)
MailEnabled = $true
MailNickname = "Steve-test-automation2"
Mail = "Email address removed"
SecurityEnabled = $false
}


New-MgGroup -BodyParameter $params

But it gives an error "New-MgGroup : Property 'mail' is read-only and cannot be set."

Use an address policy for Microsoft 365 Groups to point to the domain you want the groups to have email addresses from and that will solve the problem. https://docs.microsoft.com/microsoft-365/solutions/choose-domain-to-create-groups?view=o365-worldwid...

Hi Tony, I have found that I can change the Primary Email via Exchange-online
Set-Group -Identity "Steve-test-automation2" -WindowsEmailAddress "steve-test-automation2@myorg.com"
So All I need to do now is to Set the Unified Group to Allow External Senders, I cannot do this by Set-UnifiedGroup as this doesn't work with Certificate Based Authentication, and if I try adding AllowExternalSender = Strue to the New-MGGroup Params it gives an Error "New-MgGroup : The following properties cannot be set in the initial POST request. Please set them in a subsequent PATCH
request: allowExternalSenders."
how can I set this a PATCH Request from Powershell?

Did you add the Service Principal for the automation account to the Exchange administrator role group? I've done this when I wanted to perform Exchange Online admin operations with a runbook that authenticates using CBA. The New-MgGroup error is probably because the Graph team haven't given the cmdlet the ability to set all the properties of a Microsoft 365 group.

Hi Tony, have just tested and ran the Following and this works now, if it is of any use to anyone this is the Full way that I have got Creating a Unified Group Using CBA working
"#Connect to MS Graph

Import-Module Microsoft.Graph.Authentication

Connect-MgGraph -TenantId "Your Tennant ID" -AppId "Your App ID" -CertificateThumbprint "Your Cert Thumbprint"

#Create Unified Group Via Graph
Import-Module Microsoft.Graph.Groups


$groupid = "Steve test automation2"

$params = @{
Description = "External - Steve-test-automation2"
DisplayName = "Steve test automation2"
GroupTypes = @(
"Unified"
)
MailEnabled = $true
MailNickname = "Steve-test-automation2"
SecurityEnabled = $false
}


New-MgGroup -BodyParameter $params

#Set Owner and Membership
$Group = Get-MgGroup -Filter "DisplayName eq 'Steve test automation2'"
$User = Get-MgUser -ConsistencyLevel eventual -Count userCount -Search "DisplayName:cox,steve"
$MGGroupID = $Group.Id
$MGUserID = $User.id

$newGroupOwner =@{
"@odata.id"= "https://graph.microsoft.com/v1.0/users/{$MGUserID}"
}

New-MgGroupOwnerByRef -GroupId $MGGroupID -BodyParameter $newGroupOwner
New-MgGroupMemberByRef -GroupId $MGGroupID -BodyParameter $newGroupOwner

Disconnect-MgGraph

#Connect to EXOL

Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -CertificateThumbPrint "Your Cert Thumbprint" -AppID "Your App ID" -Organization "Your Org.onmicrosoft.com" -UseRPSSession


#Change unified Group Email Address

Get-Group -Identity "Steve-test-automation2" |fl

Set-Group -Identity "Steve-test-automation2" -WindowsEmailAddress "steve-test-automation2@yourOrg.com"

#Set Allow External Senders
Set-UnifiedGroup -Identity "Steve-test-automation2" -RequireSenderAuthenticationEnabled:$false



Disconnect-ExchangeOnline

Sounds good. I completely missed sending you a link to https://practical365.com/use-azure-automation-exchange-online/ which explains some of the ground you cover here. In any case, it's good that you have a solution.