Forum Discussion

Thabs15's avatar
Thabs15
Copper Contributor
Mar 22, 2023

PowerShell Script to get Conditional Access Properties

I have the below script that gets users (pull UPNs) exempted from all conditional access policies and I am trying to then get assigned admin roles (Any role, permanent or eligible) to those users only.

 

NB. This is the specific part I need help with. Otherwise the rest of the script pulls other information I need.

$allpolicies = Get-AzureADMSConditionalAccessPolicy | Where-Object {$_.State -ne 'Disabled' }
$allpolicies | ForEach-Object {

 # Loop through each conditional access policy and get which users are excluded from each policy and their directory roles
    
    foreach($user in ($_.Conditions).Users.ExcludeUsers){
    $upn = (Get-AzureADUser -ObjectId $user).userPrincipalName
# Get the Azure roles assigned to the user
    $roles = Get-AzureADDirectoryRole
    foreach($role in $roles) {
    Get-AzureADDirectoryRoleMember  -ObjectId $upn.userPrincipalName | select @{e={$role.userPrincipalName}}, userPrincipalName}

        New-object -typename PSobject -property @{
            ID                           = $_.Id
            DisplayName                  = $_.DisplayName
            Policy_State                 = $_.State
            TargetType                   = 'User'
            TargetName                   = $upn
            AzureADRoles                 = $roles

        }

    }
}

 

I get the below error message from the script:

 

Get-AzureADDirectoryRoleMember : Cannot bind argument to parameter 'ObjectId' because it is null.
At line:29 char:47
+ ... -AzureADDirectoryRoleMember -ObjectId $upn.userPrincipalName | selec ...
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-AzureADDirectoryRoleMember], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Open.AzureAD16.PowerShell.GetAzureADDirectoryRoleMembers

 

 I can tell I am not using the correct parameters and or arguments with the Get-AzureADDirectoryRoleMember. Any assistance is welcome

2 Replies

  • Raviraj_Nallasivam's avatar
    Raviraj_Nallasivam
    Copper Contributor
    Mar 22, 2023

    Thabs15 

    Hi

    $upn = (Get-AzureADUser -ObjectId $user).userPrincipalName

    In the above line, it fetches the userPrincipalName and assigns to $upn string variable.

    Get-AzureADDirectoryRoleMember  -ObjectId $upn.userPrincipalName | select @{e={$role.userPrincipalName}}, userPrincipalName}

    In the above line, you are accessing the userPrincipalName from $upn string variable. 

     

    Get-AzureADDirectoryRoleMember : Cannot bind argument to parameter 'ObjectId' because it is null.
    At line:29 char:47
    + ... -AzureADDirectoryRoleMember -ObjectId $upn.userPrincipalName | selec ...
    + ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [Get-AzureADDirectoryRoleMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Open.AzureAD16.PowerShell.GetAzureADDirectoryRoleMembers

     

    Because $upn is a string variable and accessing it as object, it is passed as null to Get-AzureADDirectoryRoleMember -ObjectId parameter.

     

    Replace $upn.userPrincipalName to $upn in line number 11.

     

    Please mark answer as "Best Response" if it solves your problem.

     

    Regards

    Raviraj.

     

    • Thabs15's avatar
      Thabs15
      Copper Contributor
      Apr 03, 2023

      Raviraj_Nallasivam 

       

      Thank you for your response

       

      I tried your suggestion and I now get the error message below which I have been looking up to see if I can figure it out.

       

      # Loop through each conditional access policy and get which users are excluded from each policy and their directory roles
    
    foreach($user in ($_.Conditions).Users.ExcludeUsers){
    $upn = (Get-AzureADUser -ObjectId $user).userPrincipalName
    $roles = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq $role}
    Get-AzureADDirectoryRoleMember -ObjectId $upn | Where-Object {$_.TargetName -eq $upn}

        New-object -typename PSobject -property @{
            ID                           = $_.Id
            DisplayName                  = $_.DisplayName
            Policy_State                 = $_.State
            TargetType                   = 'User'
            TargetName                   = $upn
            AzureADRoles                 = $roles​
        }

    }

       

      Get-AzureADDirectoryRoleMember : Error occurred while executing GetAzureADDirectoryRoleMembers

      Code: Request_BadRequest
      Message: Invalid object identifier '<help>example_account</help>@contoso.com'.
      RequestId: 290*9ff6-***-4883-8a52-***
      DateTimeStamp: Thu, 23 Mar 2023 13:31:48 GMT
      HttpStatusCode: BadRequest
      HttpStatusDescription: Bad Request
      HttpResponseStatus: Completed
      At line:28 char:5
      +     Get-AzureADDirectoryRoleMember -ObjectId $upn | Where-Object {$_. ...
      +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [Get-AzureADDirectoryRoleMember], ApiException
          + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetAzureADDirectoryRoleMembers

       

      Note: I retracted the color text

Resources