Forum Discussion

Thabs15's avatar
Thabs15
Copper Contributor
Mar 22, 2023

PowerShell Script to get Conditional Access Properties

I have the below script that gets users (pull UPNs) exempted from all conditional access policies and I am trying to then get assigned admin roles (Any role, permanent or eligible) to those users onl...
Raviraj_Nallasivam's avatar
Raviraj_Nallasivam
Copper Contributor
Mar 22, 2023

Thabs15 

Hi

$upn = (Get-AzureADUser -ObjectId $user).userPrincipalName

In the above line, it fetches the userPrincipalName and assigns to $upn string variable.

Get-AzureADDirectoryRoleMember  -ObjectId $upn.userPrincipalName | select @{e={$role.userPrincipalName}}, userPrincipalName}

In the above line, you are accessing the userPrincipalName from $upn string variable. 

 

Get-AzureADDirectoryRoleMember : Cannot bind argument to parameter 'ObjectId' because it is null.
At line:29 char:47
+ ... -AzureADDirectoryRoleMember -ObjectId $upn.userPrincipalName | selec ...
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-AzureADDirectoryRoleMember], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Open.AzureAD16.PowerShell.GetAzureADDirectoryRoleMembers

 

Because $upn is a string variable and accessing it as object, it is passed as null to Get-AzureADDirectoryRoleMember -ObjectId parameter.

 

Replace $upn.userPrincipalName to $upn in line number 11.

 

Please mark answer as "Best Response" if it solves your problem.

 

Regards

Raviraj.

 

  • Thabs15's avatar
    Thabs15
    Copper Contributor
    Apr 03, 2023

    Raviraj_Nallasivam 

     

    Thank you for your response

     

    I tried your suggestion and I now get the error message below which I have been looking up to see if I can figure it out.

     

    # Loop through each conditional access policy and get which users are excluded from each policy and their directory roles
    
    foreach($user in ($_.Conditions).Users.ExcludeUsers){
    $upn = (Get-AzureADUser -ObjectId $user).userPrincipalName
    $roles = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq $role}
    Get-AzureADDirectoryRoleMember -ObjectId $upn | Where-Object {$_.TargetName -eq $upn}

        New-object -typename PSobject -property @{
            ID                           = $_.Id
            DisplayName                  = $_.DisplayName
            Policy_State                 = $_.State
            TargetType                   = 'User'
            TargetName                   = $upn
            AzureADRoles                 = $roles​
        }

    }

     

    Get-AzureADDirectoryRoleMember : Error occurred while executing GetAzureADDirectoryRoleMembers

    Code: Request_BadRequest
    Message: Invalid object identifier '<help>example_account</help>@contoso.com'.
    RequestId: 290*9ff6-***-4883-8a52-***
    DateTimeStamp: Thu, 23 Mar 2023 13:31:48 GMT
    HttpStatusCode: BadRequest
    HttpStatusDescription: Bad Request
    HttpResponseStatus: Completed
    At line:28 char:5
    +     Get-AzureADDirectoryRoleMember -ObjectId $upn | Where-Object {$_. ...
    +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Get-AzureADDirectoryRoleMember], ApiException
        + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetAzureADDirectoryRoleMembers

     

    Note: I retracted the color text

Resources