Posted in : Azure, Microsoft By Vikingur Saemundsson

3 years ago

When working with on-premise Active Directory an administrator often has to recursively search AD groups, this is easy using the ActiveDirectory module with cmdlet ”Get-AdGroupMember <Group> -Recusive”.
For the AzureAD equivalent this is no longer an option, the cmdlet Get-AzureADGroupMember has three parameters.
PARAMETERS
-All <Boolean>
If true, return all group members. If false, return the number of objects specified by the Top parameter
-ObjectId <String>
Specifies the ID of a group in Azure AD.
-Top <Int32>
Specifies the maximum number of records to return.

As we can see there is no -recursive, in order to search recursively I’ve written the function below.

Function Get-RecursiveAzureAdGroupMemberUsers{
[cmdletbinding()]
param(
   [parameter(Mandatory=$True,ValueFromPipeline=$true)]
   $AzureGroup
)
    Begin{
        If(-not(Get-AzureADCurrentSessionInfo)){Connect-AzureAD}
    }
    Process {
        Write-Verbose -Message "Enumerating $($AzureGroup.DisplayName)"
        $Members = Get-AzureADGroupMember -ObjectId $AzureGroup.ObjectId -All $true
        $UserMembers = $Members | Where-Object{$_.ObjectType -eq 'User'}
        If($Members | Where-Object{$_.ObjectType -eq 'Group'}){
            $UserMembers += $Members | Where-Object{$_.ObjectType -eq 'Group'} | ForEach-Object{ Get-RecursiveAzureAdGroupMemberUsers -AzureGroup $_}
        }
    }
    end {
        Return $UserMembers
    }
}

The function accepts groups by parameter or by pipeline and returns only the object type ’User’
To run a recursive AzureAD Group member search simply pipe a normal ADgroup search as below

Get-AzureADGroup -SearchString 'AzureADGroupName' | Get-RecursiveAzureAdGroupMemberUsers

Tags : Azure, AzureAD, Get-AzureAdGroupMember, PowerShell, Recusive

Comments

Jay Antoney says

There is a problem with this. If the group you are searching contains another GROUP before a MEMBER then the script never creates the $UserMembers array and therefore fails with the error.
> Method invocation failed because [Microsoft.Open.AzureAD.Model.User] does not contain a method named 'op_Addition'.

Vikingur Saemundsson says

Hi, I can't see the scenario where this would be a problem. Perhaps if we find a group without any usermembers? Are you inputing an object with both groups & users into the function?
Does it help to encapsulate everything into try/catch clauses?
Try{$UserMembers = $Members | Where-Object{$_.ObjectType -eq 'User'}}
Catch{$UserMembers = @()}
Try{
If($Members | Where-Object{$_.ObjectType -eq 'Group'}){
$UserMembers += $Members | Where-Object{$_.ObjectType -eq 'Group'} | ForEach-Object{ Get-RecursiveAzureAdGroupMemberUsers -AzureGroup $_}
}
}
Catch{}

Add comment

Your comment will be revised by the site if needed.

Just enough Administration & RDS

Back to all articles

Azure Automation - Running scripts locally on VM through runbooks

Xenit är ett tillväxtbolag med tjänster inom cloud och digital transformation. Våra engagerade specialister inspirerar, utmanar och vägleder företag och organisationer till molnet – alltid med affärsnytta och slutanvändarens frihet i fokus.

Integritetspolicy

Kontakt

Kungstorget 7
411 17 Göteborg
+46 (0) 10 707 35 00
info@xenit.se
Visa på karta

Sidor

IT-tjänster
Kundcase
Karriär
Om Xenit
Nyheter
Tech blog
Kontakt

 

Support

För våra avtalskunder finns våra specialister redo. Ring oss på +46 (0) 10 707 35 80 eller logga in på vår fjärrsupport för att få hjälp.

Copyright © 2021 Xenit