Forum Discussion

ndubs's avatar
ndubs
Copper Contributor
May 13, 2021

M365/AzureAD Equivalent Powershell Command for Get-ADPrincipalGroupMembership

 

My question is, does a cmdlet exist that does the equivalent function of Get-ADPrincipalGroupMembership for M365 or AzureAD, and if not is there a way to achieve a similar functionality without enumerating and comparing every single group in a tenant.

 

I administrate a large number of Microsoft 365 tenants as well as local Active Directory for many companies. As part of this I frequently have to add/move/change user accounts. I have automated a fair amount of these changes via PowerShell with the Msol and ExchangeOnline modules. I have run into a road block however with updating a single user's group memberships. For on-premise AD, there exists the Get-ADPrincipalGroupMembership cmdlet, which allows me to specify a user and then returns all groups they are part of. I want to do the same thing with M365 and groups of all types (distribution, security, M365, etc.) but have been unable to find a cmdlet in any module that can do this.

 

I have looked at using the Get-MsolGroups and the Get-UnifiedGroups cmdlets to enumerate the entire tenant's groups to an array, then use Get-MsolGroupMember and the Get-UnifiedGroupLinks to run a comparison of every single member of every group against the user I am looking for. This method is overly complex, and drastically increases program runtime as it scans through many thousands of entries just to find the 5 or 10 I'm looking for.

 

I know this is possible at least in some sense, because both the AzureAD and the general M365 admin center GUI's are able to instantly pull up all of a user's group memberships when looking at the account. It may just be Microsoft has not yet built/made available a PowerShell cmdlet that utilizes this functionality.

 

Any insight would be appreciated!

 

Thanks

  • For Exchange Online, use this:

    Get-Recipient -Filter "Members -eq 'CN=user,OU=domain.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'"

    where you need to specify the DistinguishedName of the user. If you prefer using Azure AD cmdlets:

    Get-AzureADUser -ObjectId 58ab2b38-818c-4b85-8871-c9766cb4791b | Get-AzureADUserMembership

    Or better yet use Graph: https://www.michev.info/Blog/Post/2331/graph-api-adds-support-for-transitive-membership-queries
    • ndubs's avatar
      ndubs
      Copper Contributor

      VasilMichevPerfect, thank you so much. Not sure how I missed the Get-AzureADUserMembership cmdlet, but it was exactly what I was looking for.

Resources