Forum Discussion

JimmyWork's avatar
JimmyWork
Iron Contributor
Nov 08, 2024

Automating User Tags

When we create a custom user tag we can select a group and have all the users in the group tagged. However if a user is removed or added to that group at a later stage the tag is not removed/added.

 

Is there a way to automate this?

Only thing I found is that this was before on the roadmap but seems to have been removed?

https://m365admin.handsontek.net/microsoft-defender-for-office-365-tagging-support-for-groups/

 

https://learn.microsoft.com/en-us/defender-office-365/user-tags-about

 

If you assign a group to a user tag, members of the group at the time of tag creation are assigned tag. Users later added to the group aren't automatically assigned the user tag.

  • IemSaifi's avatar
    IemSaifi
    Brass Contributor

    Hi JimmyWork, 

     

    I hope this work for you.

    Solution Overview

    1. Detect Group Membership Changes
      • Use a scheduled task or event-based mechanism to monitor changes in group membership.
      • Query the group regularly to compare its current members with the previously logged state.
    2. Update Tags Based on Membership
      • Automatically add or remove tags for users based on the detected membership changes.
    3. Tools/Approaches
      • PowerShell: For Microsoft environments like Azure AD or on-premises AD.
      • API Automation: If your platform supports REST or Graph API, you can script updates.
      • Third-Party Tools: Consider automation platforms like Microsoft Power Automate, Logic Apps, or custom scripts in Python or similar.

    PowerShell Example: Azure AD Dynamic Tagging

    If you're working in an Azure AD or Microsoft 365 environment:

    # Install AzureAD module if not already installed
    Install-Module -Name AzureAD -Force

    # Connect to Azure AD
    Connect-AzureAD

    # Variables
    $GroupId = "<Your Group Object ID>"  # Replace with the Group Object ID
    $TagAttribute = "extensionAttribute1"  # Replace with your tagging attribute

    # Get Current Group Members
    $groupMembers = Get-AzureADGroupMember -ObjectId $GroupId | Select-Object -ExpandProperty UserPrincipalName

    # Iterate through the users to update tags
    foreach ($user in $groupMembers) {
        # Check if the user already has the tag
        $userDetails = Get-AzureADUser -ObjectId $user
        if ($userDetails.extensionAttribute1 -ne "YourTag") {
            # Update the tag if not present
            Set-AzureADUser -ObjectId $user -ExtensionProperty @{"extensionAttribute1"="YourTag"}
            Write-Host "Tag added for $user"
        }
    }

    # Remove Tags for Users No Longer in Group
    $allTaggedUsers = Get-AzureADUser -Filter "extensionAttribute1 eq 'YourTag'" | Select-Object -ExpandProperty UserPrincipalName
    $usersToRemoveTag = $allTaggedUsers | Where-Object { $_ -notin $groupMembers }

    foreach ($user in $usersToRemoveTag) {
        Set-AzureADUser -ObjectId $user -ExtensionProperty @{"extensionAttribute1"=$null}
        Write-Host "Tag removed for $user"
    }

     

    can you try this hope this will be work 

     

     

Resources