Add-AzureADGroupMember error "Error occurred while executing AddGroupMember"

Question

We re experiencing a consistent error adding members to a security group

refObjectId=Get-AzureRmADUser -UserPrincipalName $UserEmail
Add-AzureADGroupMember -ObjectId [securitygroupID] -RefObjectId $refObjectId.Id

script above succeeds about half of the time and fails about half throwing :

Exception: Error occurred while executing AddGroupMember StatusCode: BadRequest ErrorCode: Request_BadRequest Message: One or more added object references already exist for the following modified properties: 'members'.

This group typically has hundreds of users that primarily have a common name (i.e. Temporary User) but unique UPNs (i.e. user12345@) I am assuming when Add-AzureADGroupMember runs, it is first verifying whether member already exists in the group and is checking username (will have duplicates) rather than objectid (no duplicates)

Any suggestions to force command to use ObjectID for verification to prevent false positive for member already exists?

Answer 1

I hit this thread and discovered that the Get-AzureADGroupMember only returns the first 100 entries by default, you gotta have the '-All $true' switch to get all entries. My coding is very similar to NathanWindish only I make use of arrays for error checking.

# Get the groupID
$grpID = Get-AzureADGroup -SearchString "MyGroupName" | select -ExpandProperty ObjectID

# Get Group members
$grpMbrList = @(Get-AzureADGroupMember -ObjectId $grpID -All $true)

# Get UserID - this should only return one user, but setting in an array means you can easily check
$adUser= @(Get-AzureADUser | ?{$_.mail -eq "user@doman.com"})

# confirm you only have a single result
if ($aduser.count -eq 1) {
 
 # check the group
 if ($grpMbrList.objectId -contains $adUser.objectID) {
   user exists in group do stuff
 } 
 else {
   user does not exist in the group, do other stuff
 }

}

Answer 2

While Vadim's answer is quite good, I propose a smaller, more simple answer to this problem:

# Get the group that we want to modify.
$Group = Get-AzureADGroup -Filter "DisplayName eq 'GroupName'"
# Get all of the group members.
$Members = $Group | Get-AzureADGroupMember -All $true
# Get the user that you want to check
$User = Get-AzureADUser -Filter "Mail eq 'email'"

# Compare the Member list Object IDs with the user's Object ID via the -contains operator. (You don't need .ObjectID, but this could make the function faster in large jobs as you don't need to compare all values, just the one that you know is unique)
$IsUserInGroup = $Members.ObjectID -contains $User.ObjectID

$IsUserInGroup will return true if the user is in the group, and false if they are not. To invert this, either do (-NOT $IsUserInGroup) or use -notcontains

Answer 3

Indeed, the specified error occurs if specified user is already a member of a group.

Regarding:

Any suggestions to force command to use ObjectID for verification to prevent false positive for member already exists?

the following approach could be considered:

a) utilize Get-AzureADGroupMember cmdlet to retrieve all the existing members beforehand, for example:

$targetGroup = Get-AzureADGroup -Filter "DisplayName eq '<group name>'"
$groupMembers = Get-AzureADGroupMember -ObjectId $targetGroup.ObjectId -All $true

b) verify whether a user belong to group before invoking Add-AzureADGroupMember:

$targetUser = Get-AzureADUser -Filter "Mail eq '<email>'"
$existingMember =  $groupMembers | Where-Object { $_.ObjectId -eq $targetUser.ObjectId }
if(!$existingMember){
   Add-AzureADGroupMember -ObjectId $targetGroup.ObjectId -RefObjectId $targetUser.ObjectId  
}