Forum Discussion
Powershell to compare groups and add users based on comparison
I am not a script writer and I'm looking for a way to take a security group that was created in Azure AD and update a distribution group with any additions/deletions made to that group. The situation is this, the user that created the group wants that group to also be able to get email, but does not want to update two lists. The way the security group has been created there is no way we can convert it to a mail-enabled security group and we cannot make a dynamic distribution group for this purpose since the attributes that can be used for that are not available in the security group. I've spoken to Microsoft concerning this and they also say that there's no way to achieve my goal based on the current group we have. My thought is that if I can create a script that will compare the two groups and update the distribution group based on the security group users, this could be a script that we run regularly to update that list without manually adding them to both lists.
To get the members for the security group I used this command:
Get-AzureADGroupMember -ObjectId "73a2e3e3-21f2-4856-8651-4a03a980014f" -All $true | select DisplayName, UserPrincipalName
To get the members of the distribution group I used this command:
Get-DistributionGroupMember -Identity "iPhone Notifications" | select Identity, PrimarySMTPAddress
What I need now is for the UserPrincipalName from the first command and the PrimarySMTPAddress from the second command to be compared. Then any address that is listed in the AzureAD group and not in the distribution group needs to be added to the distribution group and any address that is in the distribution group and not in the AzureAD group to be removed from the distribution group.
I would appreciate any assistance anyone can provide. Thank you.
- AndySvintsSteel Contributor
Hello kleblanc4951,
You can use Compare-Object and then based on the SideIndicator remove or add members to Distribution list.
Quick and dirty way would be something like this:
$AzADGroup=Get-AzureADGroupMember -ObjectId "73a2e3e3-21f2-4856-8651-4a03a980014f" -All $true | select DisplayName, UserPrincipalName $DL=Get-DistributionGroupMember -Identity "iPhone Notifications" | select Identity, PrimarySMTPAddress $Comparison=Compare-Object -ReferenceObject $AzADGroup.UserPrincipalName -DifferenceObject $DL.PrimarySMTPAddress foreach ($i in $Comparison){ if($i.SideIndicator -eq "=>"){ #Listed in DL but not in AzureADGroup #Remove from DL membership Write-output "Remove $($i.InputObject) from DL" }elseif($i.SideIndicator -eq "<="){ #Listed in AzureAd but not in DL #Add to DL Membersip Write-output "Add $($i.InputObject) to DL" } }
Hope that helps.
- kleblanc4951Copper Contributor
Thanks so much for the information! I will play around with that for a bit and see what I can do. For the moment I'm exporting the list of members from the security group then using Update-DistributionGroupMember to update the distribution group by importing the list.