Posted in : Azure, Microsoft By Stina Perbo Translate with Google ⟶

3 years ago

When working with on-premise Active Directory an administrator often has to recursively search AD groups, this is easy using the ActiveDirectory module with cmdlet ”Get-AdGroupMember <Group> -Recusive”.
For the AzureAD equivalent this is no longer an option, the cmdlet Get-AzureADGroupMember has three parameters.
PARAMETERS
-All <Boolean>
If true, return all group members. If false, return the number of objects specified by the Top parameter
-ObjectId <String>
Specifies the ID of a group in Azure AD.
-Top <Int32>
Specifies the maximum number of records to return.

As we can see there is no -recursive, in order to search recursively I’ve written the function below.

Function Get-RecursiveAzureAdGroupMemberUsers{
[cmdletbinding()]
param(
   [parameter(Mandatory=$True,ValueFromPipeline=$true)]
   $AzureGroup
)
    Begin{
        If(-not(Get-AzureADCurrentSessionInfo)){Connect-AzureAD}
    }
    Process {
        Write-Verbose -Message "Enumerating $($AzureGroup.DisplayName)"
        $Members = Get-AzureADGroupMember -ObjectId $AzureGroup.ObjectId -All $true
        $UserMembers = $Members | Where-Object{$_.ObjectType -eq 'User'}
        If($Members | Where-Object{$_.ObjectType -eq 'Group'}){
            $UserMembers += $Members | Where-Object{$_.ObjectType -eq 'Group'} | ForEach-Object{ Get-RecursiveAzureAdGroupMemberUsers -AzureGroup $_}
        }
    }
    end {
        Return $UserMembers
    }
}

The function accepts groups by parameter or by pipeline and returns only the object type ’User’
To run a recursive AzureAD Group member search simply pipe a normal ADgroup search as below

Get-AzureADGroup -SearchString 'AzureADGroupName' | Get-RecursiveAzureAdGroupMemberUsers

Tags : Azure, AzureAD, Get-AzureAdGroupMember, PowerShell, Recusive

Personlig rådgivning

Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.

Comments

Jay Antoney says

There is a problem with this. If the group you are searching contains another GROUP before a MEMBER then the script never creates the $UserMembers array and therefore fails with the error.
> Method invocation failed because [Microsoft.Open.AzureAD.Model.User] does not contain a method named 'op_Addition'.

Vikingur Saemundsson says

Hi, I can't see the scenario where this would be a problem. Perhaps if we find a group without any usermembers? Are you inputing an object with both groups & users into the function?
Does it help to encapsulate everything into try/catch clauses?
Try{$UserMembers = $Members | Where-Object{$_.ObjectType -eq 'User'}}
Catch{$UserMembers = @()}
Try{
If($Members | Where-Object{$_.ObjectType -eq 'Group'}){
$UserMembers += $Members | Where-Object{$_.ObjectType -eq 'Group'} | ForEach-Object{ Get-RecursiveAzureAdGroupMemberUsers -AzureGroup $_}
}
}
Catch{}

Dale says

@ Jay Antoney
The problem appears to be that the group and user report back data in different formats, setting the $UserMembers as array as per below seems to resolve the issue.

Replace:
$UserMembers = $Members | Where-Object{$_.ObjectType -eq 'User'}

With:
[array]$UserMembers = $Members | Where-Object{$_.ObjectType -eq 'User'}

Miqueas Andrade says

Hello Everybody,

After suffering about a month trying to extract lists of all nested members within Azure Groups, I finally found that by Jun 2021, to me, the best solution is to call a Microsoft Graph API entry point ( GET /groups/{id}/transitiveMembers - https://docs.microsoft.com/en-us/graph/api/group-list-transitivemembers?view=graph-rest-1.0&tabs=http ). As it’s extremally fast and reasonably easy to deal with Power Shell. Here comes an example:

$GroupName = “AZR-MyAzureGroupName” ### Fill your group name here ###
$objectId = $(Get-AzADGroup -DisplayName $GroupName).Id

### get the Authorization Token to perform the API Call ###
Import-Module -UseWindowsPowerShell AzureAD #because on PoSH 7.1
$login = "example@contoso.com" ### Fill your Azure Login Here ###
$acct = Get-Credential -Credential $login
Connect-AzureAD -Credential $acct
$token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/").Token

$http_header = @{ 'Authorization' = $token }
$Uri = "https://graph.microsoft.com/beta/groups/" + $objectId + '/transitiveMembers?$select=displayName,givenName,id,jobTitle,mail,mobilePhone,officeLocation,preferredLanguage,surname,userPrincipalName,onPremisesSamAccountName,employeeId'
$http_response = Invoke-RestMethod -Uri $Uri -Headers $http_header
$http_response.value ### shows the output

Thanks for the space and snippet shared!
Best Regards,
Miqueas Andrade

Add comment

Your comment will be revised by the site if needed.