@pnp/cli-microsoft365 8.1.0-beta.bf59841 → 9.0.0-beta.1516729

package/dist/utils/entraApp.js

@@ -0,0 +1,283 @@
+import fs from 'fs';
+import request from '../request.js';
+import { odata } from './odata.js';
+async function getCertificateBase64Encoded({ options, logger, debug }) {
+    if (options.certificateBase64Encoded) {
+        return options.certificateBase64Encoded;
+    }
+    if (debug) {
+        await logger.logToStderr(`Reading existing ${options.certificateFile}...`);
+    }
+    try {
+        return fs.readFileSync(options.certificateFile, { encoding: 'base64' });
+    }
+    catch (e) {
+        throw new Error(`Error reading certificate file: ${e}. Please add the certificate using base64 option '--certificateBase64Encoded'.`);
+    }
+}
+async function createServicePrincipal(appId) {
+    const requestOptions = {
+        url: `https://graph.microsoft.com/v1.0/myorganization/servicePrincipals`,
+        headers: {
+            'content-type': 'application/json'
+        },
+        data: {
+            appId: appId
+        },
+        responseType: 'json'
+    };
+    return request.post(requestOptions);
+}
+async function grantOAuth2Permission({ appId, resourceId, scopeName }) {
+    const grantAdminConsentApplicationRequestOptions = {
+        url: `https://graph.microsoft.com/v1.0/myorganization/oauth2PermissionGrants`,
+        headers: {
+            accept: 'application/json;odata.metadata=none'
+        },
+        responseType: 'json',
+        data: {
+            clientId: appId,
+            consentType: "AllPrincipals",
+            principalId: null,
+            resourceId: resourceId,
+            scope: scopeName
+        }
+    };
+    return request.post(grantAdminConsentApplicationRequestOptions);
+}
+async function addRoleToServicePrincipal({ objectId, resourceId, appRoleId }) {
+    const requestOptions = {
+        url: `https://graph.microsoft.com/v1.0/myorganization/servicePrincipals/${objectId}/appRoleAssignments`,
+        headers: {
+            'Content-Type': 'application/json'
+        },
+        responseType: 'json',
+        data: {
+            appRoleId: appRoleId,
+            principalId: objectId,
+            resourceId: resourceId
+        }
+    };
+    return request.post(requestOptions);
+}
+async function getRequiredResourceAccessForApis({ servicePrincipals, apis, scopeType, logger, debug }) {
+    if (!apis) {
+        return [];
+    }
+    const resolvedApis = [];
+    const requestedApis = apis.split(',').map(a => a.trim());
+    for (const api of requestedApis) {
+        const pos = api.lastIndexOf('/');
+        const permissionName = api.substring(pos + 1);
+        const servicePrincipalName = api.substring(0, pos);
+        if (debug) {
+            await logger.logToStderr(`Resolving ${api}...`);
+            await logger.logToStderr(`Permission name: ${permissionName}`);
+            await logger.logToStderr(`Service principal name: ${servicePrincipalName}`);
+        }
+        const servicePrincipal = servicePrincipals.find(sp => (sp.servicePrincipalNames.indexOf(servicePrincipalName) > -1 ||
+            sp.servicePrincipalNames.indexOf(`${servicePrincipalName}/`) > -1));
+        if (!servicePrincipal) {
+            throw `Service principal ${servicePrincipalName} not found`;
+        }
+        const scopesOfType = scopeType === 'Scope' ? servicePrincipal.oauth2PermissionScopes : servicePrincipal.appRoles;
+        const permission = scopesOfType.find(scope => scope.value === permissionName);
+        if (!permission) {
+            throw `Permission ${permissionName} for service principal ${servicePrincipalName} not found`;
+        }
+        let resolvedApi = resolvedApis.find(a => a.resourceAppId === servicePrincipal.appId);
+        if (!resolvedApi) {
+            resolvedApi = {
+                resourceAppId: servicePrincipal.appId,
+                resourceAccess: []
+            };
+            resolvedApis.push(resolvedApi);
+        }
+        const resourceAccessPermission = {
+            id: permission.id,
+            type: scopeType
+        };
+        resolvedApi.resourceAccess.push(resourceAccessPermission);
+        updateAppPermissions({
+            spId: servicePrincipal.id,
+            resourceAccessPermission,
+            oAuth2PermissionValue: permission.value
+        });
+    }
+    return resolvedApis;
+}
+function updateAppPermissions({ spId, resourceAccessPermission, oAuth2PermissionValue }) {
+    // During API resolution, we store globally both app role assignments and oauth2permissions
+    // So that we'll be able to parse them during the admin consent process
+    let existingPermission = entraApp.appPermissions.find(oauth => oauth.resourceId === spId);
+    if (!existingPermission) {
+        existingPermission = {
+            resourceId: spId,
+            resourceAccess: [],
+            scope: []
+        };
+        entraApp.appPermissions.push(existingPermission);
+    }
+    if (resourceAccessPermission.type === 'Scope' && oAuth2PermissionValue && !existingPermission.scope.find(scp => scp === oAuth2PermissionValue)) {
+        existingPermission.scope.push(oAuth2PermissionValue);
+    }
+    if (!existingPermission.resourceAccess.find(res => res.id === resourceAccessPermission.id)) {
+        existingPermission.resourceAccess.push(resourceAccessPermission);
+    }
+}
+export const entraApp = {
+    appPermissions: [],
+    createAppRegistration: async ({ options, apis, logger, verbose, debug }) => {
+        const applicationInfo = {
+            displayName: options.name,
+            signInAudience: options.multitenant ? 'AzureADMultipleOrgs' : 'AzureADMyOrg'
+        };
+        if (apis.length > 0) {
+            applicationInfo.requiredResourceAccess = apis;
+        }
+        if (options.redirectUris) {
+            applicationInfo[options.platform] = {
+                redirectUris: options.redirectUris.split(',').map(u => u.trim())
+            };
+        }
+        if (options.implicitFlow) {
+            if (!applicationInfo.web) {
+                applicationInfo.web = {};
+            }
+            applicationInfo.web.implicitGrantSettings = {
+                enableAccessTokenIssuance: true,
+                enableIdTokenIssuance: true
+            };
+        }
+        if (options.certificateFile || options.certificateBase64Encoded) {
+            const certificateBase64Encoded = await getCertificateBase64Encoded({ options, logger, debug });
+            const newKeyCredential = {
+                type: 'AsymmetricX509Cert',
+                usage: 'Verify',
+                displayName: options.certificateDisplayName,
+                key: certificateBase64Encoded
+            };
+            applicationInfo.keyCredentials = [newKeyCredential];
+        }
+        if (options.allowPublicClientFlows) {
+            applicationInfo.isFallbackPublicClient = true;
+        }
+        if (verbose) {
+            await logger.logToStderr(`Creating Microsoft Entra app registration...`);
+        }
+        const createApplicationRequestOptions = {
+            url: `https://graph.microsoft.com/v1.0/myorganization/applications`,
+            headers: {
+                accept: 'application/json;odata.metadata=none'
+            },
+            responseType: 'json',
+            data: applicationInfo
+        };
+        return request.post(createApplicationRequestOptions);
+    },
+    grantAdminConsent: async ({ appInfo, appPermissions, adminConsent, logger, debug }) => {
+        if (!adminConsent || appPermissions.length === 0) {
+            return appInfo;
+        }
+        const sp = await createServicePrincipal(appInfo.appId);
+        if (debug) {
+            await logger.logToStderr("Service principal created, returned object id: " + sp.id);
+        }
+        const tasks = [];
+        appPermissions.forEach(async (permission) => {
+            if (permission.scope.length > 0) {
+                tasks.push(grantOAuth2Permission({
+                    appId: sp.id,
+                    resourceId: permission.resourceId,
+                    scopeName: permission.scope.join(' ')
+                }));
+                if (debug) {
+                    await logger.logToStderr(`Admin consent granted for following resource ${permission.resourceId}, with delegated permissions: ${permission.scope.join(',')}`);
+                }
+            }
+            permission.resourceAccess.filter(access => access.type === "Role").forEach(async (access) => {
+                tasks.push(addRoleToServicePrincipal({
+                    objectId: sp.id,
+                    resourceId: permission.resourceId,
+                    appRoleId: access.id
+                }));
+                if (debug) {
+                    await logger.logToStderr(`Admin consent granted for following resource ${permission.resourceId}, with application permission: ${access.id}`);
+                }
+            });
+        });
+        await Promise.all(tasks);
+        return appInfo;
+    },
+    resolveApis: async ({ options, manifest, logger, verbose, debug }) => {
+        if (!options.apisDelegated && !options.apisApplication
+            && (typeof manifest?.requiredResourceAccess === 'undefined' || manifest.requiredResourceAccess.length === 0)) {
+            return [];
+        }
+        if (verbose) {
+            await logger.logToStderr('Resolving requested APIs...');
+        }
+        const servicePrincipals = await odata.getAllItems(`https://graph.microsoft.com/v1.0/myorganization/servicePrincipals?$select=appId,appRoles,id,oauth2PermissionScopes,servicePrincipalNames`);
+        let resolvedApis = [];
+        if (options.apisDelegated || options.apisApplication) {
+            resolvedApis = await getRequiredResourceAccessForApis({
+                servicePrincipals,
+                apis: options.apisDelegated,
+                scopeType: 'Scope',
+                logger,
+                debug
+            });
+            if (verbose) {
+                await logger.logToStderr(`Resolved delegated permissions: ${JSON.stringify(resolvedApis, null, 2)}`);
+            }
+            const resolvedApplicationApis = await getRequiredResourceAccessForApis({
+                servicePrincipals,
+                apis: options.apisApplication,
+                scopeType: 'Role',
+                logger,
+                debug
+            });
+            if (verbose) {
+                await logger.logToStderr(`Resolved application permissions: ${JSON.stringify(resolvedApplicationApis, null, 2)}`);
+            }
+            // merge resolved application APIs onto resolved delegated APIs
+            resolvedApplicationApis.forEach(resolvedRequiredResource => {
+                const requiredResource = resolvedApis.find(api => api.resourceAppId === resolvedRequiredResource.resourceAppId);
+                if (requiredResource) {
+                    requiredResource.resourceAccess.push(...resolvedRequiredResource.resourceAccess);
+                }
+                else {
+                    resolvedApis.push(resolvedRequiredResource);
+                }
+            });
+        }
+        else {
+            const manifestApis = manifest.requiredResourceAccess;
+            manifestApis.forEach(manifestApi => {
+                resolvedApis.push(manifestApi);
+                const app = servicePrincipals.find(servicePrincipals => servicePrincipals.appId === manifestApi.resourceAppId);
+                if (app) {
+                    manifestApi.resourceAccess.forEach((res => {
+                        const resourceAccessPermission = {
+                            id: res.id,
+                            type: res.type
+                        };
+                        const oAuthValue = app.oauth2PermissionScopes.find(scp => scp.id === res.id)?.value;
+                        updateAppPermissions({
+                            spId: app.id,
+                            resourceAccessPermission,
+                            oAuth2PermissionValue: oAuthValue
+                        });
+                    }));
+                }
+            });
+        }
+        if (verbose) {
+            await logger.logToStderr(`Merged delegated and application permissions: ${JSON.stringify(resolvedApis, null, 2)}`);
+            await logger.logToStderr(`App role assignments: ${JSON.stringify(entraApp.appPermissions.flatMap(permission => permission.resourceAccess.filter(access => access.type === "Role")), null, 2)}`);
+            await logger.logToStderr(`OAuth2 permissions: ${JSON.stringify(entraApp.appPermissions.flatMap(permission => permission.scope), null, 2)}`);
+        }
+        return resolvedApis;
+    }
+};
+//# sourceMappingURL=entraApp.js.map

package/dist/utils/spo.js

@@ -1405,6 +1405,38 @@ export const spo = {
         const site = await request.get(requestOptions);
         return site.id;
     },
+    /**
+     * Retrieves the server-relative URL of a folder.
+     * @param webUrl Web URL
+     * @param folderUrl Folder URL
+     * @param folderId Folder ID
+     * @param logger The logger object
+     * @param verbose Set for verbose logging
+     * @returns The server-relative URL of the folder
+     */
+    async getFolderServerRelativeUrl(webUrl, folderUrl, folderId, logger, verbose) {
+        if (verbose && logger) {
+            await logger.logToStderr(`Retrieving server-relative URL for folder ${folderUrl ? `URL: ${folderUrl}` : `ID: ${folderId}`}`);
+        }
+        let requestUrl = `${webUrl}/_api/web/`;
+        if (folderUrl) {
+            const folderServerRelativeUrl = urlUtil.getServerRelativePath(webUrl, folderUrl);
+            requestUrl += `GetFolderByServerRelativePath(decodedUrl='${formatting.encodeQueryParameter(folderServerRelativeUrl)}')`;
+        }
+        else {
+            requestUrl += `GetFolderById('${folderId}')`;
+        }
+        requestUrl += '?$select=ServerRelativeUrl';
+        const requestOptions = {
+            url: requestUrl,
+            headers: {
+                accept: 'application/json;odata=nometadata'
+            },
+            responseType: 'json'
+        };
+        const res = await request.get(requestOptions);
+        return res.ServerRelativeUrl;
+    },
     /**
      * Retrieves the ObjectIdentity from a SharePoint site
      * @param webUrl web url

package/docs/docs/_clisettings.mdx

@@ -2,6 +2,11 @@ Setting name|Definition|Default value
 ------------|----------|-------------
 `authType`|Default login method to use when running `m365 login` without the `--authType` option.|`deviceCode`
 `autoOpenLinksInBrowser`|Automatically open the browser for all commands which return a url and expect the user to copy paste this to the browser. For example when logging in, using `m365 login` in device code mode.|`false`
+`clientId`|ID of the default Entra ID app use by the CLI to authenticate|``
+`clientSecret`|Secret of the default Entra ID app use by the CLI to authenticate|``
+`clientCertificateFile`|Path to the file containing the client certificate to use for authentication|``
+`clientCertificateBase64Encoded`|Base64-encoded client certificate contents|``
+`clientCertificatePassword`|Password to the client certificate file|``
 `copyDeviceCodeToClipboard`|Automatically copy the device code to the clipboard when running `m365 login` command in device code mode|`false`
 `csvEscape`|Single character used for escaping; only apply to characters matching the quote and the escape options|`"`
 `csvHeader`|Display the column names on the first line|`true`
@@ -18,3 +23,4 @@ Setting name|Definition|Default value
 `promptListPageSize`|By default, lists of choices longer than 7 will be paginated. Use this option to control how many choices will appear on the screen at once.|7
 `showHelpOnFailure`|Automatically display help when executing a command failed|`true`
 `showSpinner`|Display spinner when executing commands|`true`
+`tenantId`|ID of the default tenant to use when authenticating with|``

package/docs/docs/cmd/entra/enterpriseapp/enterpriseapp-remove.mdx

@@ -0,0 +1,65 @@
+import Global from '/docs/cmd/_global.mdx';
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# entra enterpriseapp remove
+
+Deletes an enterprise application (or service principal)
+
+## Usage
+
+```sh
+m365 entra enterpriseapp remove [options]
+```
+
+## Alias
+
+```sh
+m365 entra sp remove [options]
+```
+
+## Options
+
+```md definition-list
+`-i, --id [id]`
+: ID of the enterprise application.
+
+`-n, --displayName [displayName]`
+: Display name of the enterprise application.
+
+`--objectId [objectId]`
+: ObjectId of the enterprise application.
+
+`-f, --force`
+: Don't prompt for confirmation.
+```
+
+<Global />
+
+## Examples
+
+Delete an enterprise application by application ID.
+
+```sh
+m365 entra enterpriseapp remove --id b2307a39-e878-458b-bc90-03bc578531d6 --force
+```
+
+Delete an enterprise application by display name.
+
+```sh
+m365 entra enterpriseapp remove --displayName "Contoso app"
+```
+
+Delete an enterprise application by object ID.
+
+```sh
+m365 entra enterpriseapp remove --objectId b2307a39-e878-458b-bc90-03bc578531dd
+```
+
+## Response
+
+The command won't return a response on success.
+
+## More information
+
+- Application and service principal objects in Microsoft Entra ID: [https://learn.microsoft.com/azure/active-directory/develop/active-directory-application-objects](https://learn.microsoft.com/azure/active-directory/develop/active-directory-application-objects)

package/docs/docs/cmd/entra/group/group-add.mdx

@@ -53,8 +53,6 @@ m365 aad group add [options]
 
 ## Remarks
 
-:::info
-
 The `visibility` option affects the behavior of the group.
 
 With the `Public` visibility:
@@ -74,8 +72,6 @@ With the `HiddenMembership` visibility:
 - Administrators (global, company, user, and helpdesk) can view the membership of the group.
 - The group appears in the global address book (GAL).
 
-:::
-
 :::note
 
 The `HiddenMembership` visibility can be set only for Microsoft 365 groups when the groups are created. It can't be updated later.

package/docs/docs/cmd/entra/group/group-set.mdx

@@ -0,0 +1,89 @@
+import Global from '/docs/cmd/_global.mdx';
+
+# entra group set
+
+Updates a Microsoft Entra group
+
+## Usage
+
+```sh
+m365 entra group set [options]
+```
+
+## Options
+
+```md definition-list
+`-i, --id [id]`	
+: The ID of the Microsoft Entra group to update. Specify either `id` or `displayName` but not both.
+
+`-n, --displayName [displayName]`	
+: The display name of the Microsoft Entra group to update. Specify either `id` or `displayName` but not both.
+
+`--newDisplayName [newDisplayName]`	
+: The new display name of the Microsoft Entra group. The maximum length is 256 characters.
+
+`--description [description]`
+: The new description for the group.
+
+`--mailNickname [mailNickname]`
+: The new mail alias for the group (part before the @). Use only for mail-enabled groups. Maximum length is 64 characters.
+
+`--ownerIds [ownerIds]`
+: Comma-separated list of IDs of Microsoft Entra users that will be the group owners. Specify either `ownerIds` or `ownerUserNames`, but not both.
+
+`--ownerUserNames [ownerUserNames]`
+: Comma-separated list of UPNs of Microsoft Entra users that will be the group owners. Specify either `ownerIds` or `ownerUserNames`, but not both.
+
+`--memberIds [memberIds]`
+: Comma-separated list of IDs of Microsoft Entra users that will be the group members. Specify either `memberIds` or `memberUserNames`, but not both.
+
+`--memberUserNames [memberUserNames]`
+: Comma-separated list of UPNs of Microsoft Entra users that will be the group members. Specify either `memberIds` or `memberUserNames`, but not both.
+
+`--visibility [visibility]`
+: Specifies the group join policy and group content visibility for Microsoft 365 groups. Possible values are: `Private` or `Public`. Specify only when targeting a Microsoft 365 group.
+```
+
+<Global />
+
+## Remarks
+
+The `visibility` option affects the behavior of the group.
+
+With the `Public` visibility:
+- Anyone can join the group without needing owner approval. 
+- Anyone can view the attributes of the group. 
+- Anyone can see the members of the group.
+
+With the `Private` visibilty:
+- Owner approval is needed to join the group.
+- Anyone can view the attributes of the group.
+- Anyone can see the members of the group.
+
+If the specified option is not found, you will receive a `Resource 'xyz' does not exist or one of its queried reference-property objects are not present.` error.
+
+Specifying `memberIds` or `memberUserNames` will make only those users members, removing all others. Similarly, specifying `ownerIds` or `ownerUserNames` will make only those users owners, removing all others.
+
+## Examples
+
+Update the display name of a group specified by the display name
+
+```sh
+m365 entra group set --displayName Devs --newDisplayName Developers
+```
+
+Set the owners of a group to the specified people
+
+```sh
+m365 entra group set --id 57fd6b33-54eb-42b0-9ea0-8a9ac04eab7d --ownerUserNames "john.doe@contoso.com,adele.vance@contoso.com"
+```
+
+Update the description and mail nickname of a group
+
+```sh
+m365 entra group set --id 57fd6b33-54eb-42b0-9ea0-8a9ac04eab7d --description "All developers of the company" --mailNickname developers
+```
+
+## Response
+
+The command won't return a response on success.

package/docs/docs/cmd/entra/m365group/m365group-user-add.mdx

@@ -26,13 +26,25 @@ m365 teams user add
 
 ```md definition-list
 `-i, --groupId [groupId]`
-: The ID of the Microsoft 365 Group to which to add the user
+: The ID of the Microsoft 365 group. Specify only one of the following: `groupId`, `groupName`, `teamId`, or `teamName`.
+
+`--groupName [groupName]`
+: The display name of the Microsoft 365 group. Specify only one of the following: `groupId`, `groupName`, `teamId`, or `teamName`.
 
 `--teamId [teamId]`
-: The ID of the Teams team to which to add the user
+: The ID of the Teams team. Specify only one of the following: `groupId`, `groupName`, `teamId`, or `teamName`.
+
+`--teamName [teamName]`
+: The display name of the Microsoft Teams team. Specify only one of the following: `groupId`, `groupName`, `teamId`, or `teamName`.
+
+`-n, --userName [userName]`
+: (deprecated) User's UPN (User Principal Name), e.g. johndoe@example.com.
+
+`--ids [ids]`
+: Microsoft Entra IDs of users. You can also pass a comma-separated list of IDs. Specify either `ids` or `userNames` but not both.
 
-`-n, --userName <userName>`
-: User's UPN (user principal name, eg. johndoe@example.com)
+`--userNames [userNames]`
+: The user principal names of users. You can also pass a comma-separated list of UPNs. Specify either `ids` or `userNames` but not both.
 
 `-r, --role [role]`
 : The role to be assigned to the new user: `Owner,Member`. Default `Member`
@@ -42,22 +54,28 @@ m365 teams user add
 
 ## Examples
 
-Add a new member to the specified Microsoft 365 Group
+Add a new member with the userNames parameter to the specified Microsoft 365 Group
+
+```sh
+m365 entra m365group user add --groupId '00000000-0000-0000-0000-000000000000' --userNames 'anne.matthews@contoso.onmicrosoft.com'
+```
+
+Add multiple new owners with the userNames parameter to the specified Microsoft 365 Group
 
 ```sh
-m365 entra m365group user add --groupId '00000000-0000-0000-0000-000000000000' --userName 'anne.matthews@contoso.onmicrosoft.com'
+m365 entra m365group user add --groupName 'Contoso' --userNames 'anne.matthews@contoso.onmicrosoft.com, john.doe@contoso.onmicrosoft.com' --role Owner
 ```
 
-Add a new owner to the specified Microsoft 365 Group
+Add a new member with the userNames parameter to the specified Microsoft Teams team
 
 ```sh
-m365 entra m365group user add --groupId '00000000-0000-0000-0000-000000000000' --userName 'anne.matthews@contoso.onmicrosoft.com' --role Owner
+m365 entra m365group member add --teamId '00000000-0000-0000-0000-000000000000' --userNames 'anne.matthews@contoso.onmicrosoft.com' --role Member
 ```
 
-Add a new member to the specified Microsoft Teams team
+Add multiple new members with the ids parameter to the specified Microsoft Teams team
 
 ```sh
-m365 teams user add --teamId '00000000-0000-0000-0000-000000000000' --userName 'anne.matthews@contoso.onmicrosoft.com'
+m365 entra m365group user add --teamName 'Engineering' --ids '74a3b772-3122-447b-b9da-10895e238219,dd3d21e4-a142-46b9-8482-bca8fe9596b3' --role Member
 ```
 
 ## Response

package/docs/docs/cmd/entra/m365group/m365group-user-set.mdx

@@ -2,7 +2,7 @@ import Global from '/docs/cmd/_global.mdx';
 
 # entra m365group user set
 
-Updates role of the specified user in the specified Microsoft 365 Group or Microsoft Teams team
+Updates role of the specified users in the specified Microsoft 365 Group or Microsoft Teams team
 
 ## Usage
 
@@ -24,13 +24,25 @@ m365 aad teams user set
 
 ```md definition-list
 `-i, --groupId [groupId]`
-: The ID of the Microsoft 365 group for which to update user
+: The ID of the Microsoft 365 group. Specify only one of the following: `groupId`, `groupName`, `teamId`, or `teamName`.
+
+`--groupName [groupName]`
+: The display name of the Microsoft 365 group. Specify only one of the following: `groupId`, `groupName`, `teamId`, or `teamName`.
 
 `--teamId [teamId]`
-: The ID of the Microsoft Teams team for which to update user
+: The ID of the Teams team. Specify only one of the following: `groupId`, `groupName`, `teamId`, or `teamName`.
+
+`--teamName [teamName]`
+: The display name of the Microsoft Teams team. Specify only one of the following: `groupId`, `groupName`, `teamId`, or `teamName`.
+
+`-n, --userName [userName]`
+: (deprecated) User's UPN (User Principal Name), e.g. johndoe@example.com.
 
-`-n, --userName <userName>`
-: UPN of the user for whom to update the role (eg. johndoe@example.com)
+`--ids [ids]`
+: Microsoft Entra IDs of users. You can also pass a comma-separated list of IDs. Specify only one of the following `userName`, `ids` or `userNames`.
+
+`--userNames [userNames]`
+: The user principal names of users. You can also pass a comma-separated list of UPNs. Specify only one of the following `userName`, `ids` or `userNames`.
 
 `-r, --role <role>`
 : Role to set for the given user in the specified Microsoft 365 Group or Microsoft Teams team. Allowed values: `Owner`, `Member`
@@ -44,28 +56,40 @@ The command will return an error if the user already has the specified role in t
 
 ## Examples
 
-Promote the specified user to owner of the given Microsoft 365 Group
+Promote a single user to Owner of the given Microsoft 365 Group
 
 ```sh
 m365 entra m365group user set --groupId '00000000-0000-0000-0000-000000000000' --userName 'anne.matthews@contoso.onmicrosoft.com' --role Owner
 ```
 
-Demote the specified user from owner to member in the given Microsoft 365 Group
+Promote multiple users specified by the userNames parameter to Owner of the given Microsoft 365 Group
+
+```sh
+m365 entra m365group user set --groupName 'Contoso' --userNames 'anne.matthews@contoso.onmicrosoft.com,john.doe@contoso.onmicrosoft.com' --role Owner
+```
+
+Promote multiple users specified by the ids parameter to Owner of the given Microsoft 365 Group
+
+```sh
+m365 entra m365group user set --groupId '00000000-0000-0000-0000-000000000000' --ids '74a3b772-3122-447b-b9da-10895e238219,dd3d21e4-a142-46b9-8482-bca8fe9596b3' --role Owner
+```
+
+Demote a single user from Owner to Member in the given Microsoft 365 Group
 
 ```sh
 m365 entra m365group user set --groupId '00000000-0000-0000-0000-000000000000' --userName 'anne.matthews@contoso.onmicrosoft.com' --role Member
 ```
 
-Promote the specified user to owner of the given Microsoft Teams team
+Demote multiple users specified by the userNames parameter from Owner to Member of the given Microsoft Teams team
 
 ```sh
-m365 entra teams user set --teamId '00000000-0000-0000-0000-000000000000' --userName 'anne.matthews@contoso.onmicrosoft.com' --role Owner
+m365 entra teams user set --teamId '00000000-0000-0000-0000-000000000000' --userNames 'anne.matthews@contoso.onmicrosoft.com,john.doe@contoso.onmicrosoft.com' --role Member
 ```
 
-Demote the specified user from owner to member in the given Microsoft Teams team
+Demote multiple users specified by the ids parameter from Owner to Member in the given Microsoft Teams team
 
 ```sh
-m365 entra teams user set --teamId '00000000-0000-0000-0000-000000000000' --userName 'anne.matthews@contoso.onmicrosoft.com' --role Member
+m365 entra teams user set --teamName 'Engineering' --ids '74a3b772-3122-447b-b9da-10895e238219,dd3d21e4-a142-46b9-8482-bca8fe9596b3' --role Member
 ```
 
 ## Response