Forum Discussion
Find/Replace AD Groups across tenant
Hi All,
We are going through an on-prem Active Directory domain flattening, from many domains into one single domain. We currently have AD groups from the various on-prem domains syncing to Azure AD and using these for SharePoint security. When we migrate these AD groups to the single domain and sync to Azure AD it will become a different/new group in Azure AD.
We have roughly 700 of these AD groups and thousands of sites that could potentially be using these AD groups in permissioning. Has anyone done anything like this, or have used PowerShell to basically find and replace, ie. add ADGroupB in all site permissions areas where ADGroupA exists?
We have ShareGate as well, but I'm not familiar enough with it to know if it has any functionality to help us here.
Thanks,
Dustin
Unfortunately when adding an AD group as a member to a SharePoint site, it's seen as a Person and not as a AD group. So distinguishing it is going to be hard. I did a blogpost about something similar last year which you can modify, this iterates all the groups and check if the ID exist in the member list foreach site. What I did was export to CSV and not delete them so you can modify it, I added the snippet down below :
https://yourmodernworkplace.com/blog/List-All-AD-Groups-From-All-SharePoint-Sites
Import-Module Microsoft.Graph.Groups Export-Csv -Path getAllSitesWithADGroup.csv Connect-Graph -Scopes "Group.Read.All","Directory.Read.All" $getAllADGroups = Get-MgGroup $getAllADGroups = Get-AzureADGroup Connect-PnPOnline -Url "https://-admin.sharepoint.com/" -Interactive #Get All Site collections data and export to CSV $getAllSites = Get-PnPTenantSite foreach($site in $getAllSites.Url) { #Connect to PnP Online Connect-PnPOnline -Url $site -Interactive #sharepoint online pnp powershell get group members $site $getAllMembers = Get-PnPGroup | Get-PnPGroupMember $getAllADGroups.Id | ForEach-Object { if ($getAllMembers.LoginName -match $_) { #Do your thing Write-Host "`$getAllMembers contains the `$getAllADGroups ad group [$_]" } } } }
2 Replies
Unfortunately when adding an AD group as a member to a SharePoint site, it's seen as a Person and not as a AD group. So distinguishing it is going to be hard. I did a blogpost about something similar last year which you can modify, this iterates all the groups and check if the ID exist in the member list foreach site. What I did was export to CSV and not delete them so you can modify it, I added the snippet down below :
https://yourmodernworkplace.com/blog/List-All-AD-Groups-From-All-SharePoint-Sites
Import-Module Microsoft.Graph.Groups Export-Csv -Path getAllSitesWithADGroup.csv Connect-Graph -Scopes "Group.Read.All","Directory.Read.All" $getAllADGroups = Get-MgGroup $getAllADGroups = Get-AzureADGroup Connect-PnPOnline -Url "https://-admin.sharepoint.com/" -Interactive #Get All Site collections data and export to CSV $getAllSites = Get-PnPTenantSite foreach($site in $getAllSites.Url) { #Connect to PnP Online Connect-PnPOnline -Url $site -Interactive #sharepoint online pnp powershell get group members $site $getAllMembers = Get-PnPGroup | Get-PnPGroupMember $getAllADGroups.Id | ForEach-Object { if ($getAllMembers.LoginName -match $_) { #Do your thing Write-Host "`$getAllMembers contains the `$getAllADGroups ad group [$_]" } } } }- Thanks Nicolas, we will take a look at this and see if it can help us!
