Forum Discussion

Copper Contributor

Aug 22, 2022

See groups menbership of a list of users

Hello, I'm trying to get a list from all groups that a user is part of, on a single file (DL, Teams groups, ...) This is what I'm doing: Connect-AzureAD $Users=Get-Content -Path "C:\Temp...

office 365

raindropsdev
Aug 22, 2022
Catarinagm

Hi,

The easy answer is that you're trying to get the UserPrincipalName of the Group rather than the user, which returns null because the group doesn't have a UserPrincipalName.
As the variable $_. has already been overwritten by Get-AzureAdUsermembership you can't really reference back.

I have written a Powershell script that would do the job and shared it on Github:
https://github.com/Raindrops-dev/RAIN-TechCommunityContributions/blob/main/Get-AzureAdGroupMembership.ps1

Check it out and let me know if it fits your requirements.

EDIT: Apparently I was too slow and LainRobertson already came with a more modern solution!

LainRobertson

Silver Contributor

Catarinagm

I also meant to add that you mentioned Exchange groups, however, if you use dynamic Exchange groups, you can't pull that from Azure AD. You'd need to use the Exchange Online module to fetch those and their memberships.

About the Exchange Online PowerShell V2 module | Microsoft Docs

Cheers,

Lain

Catarinagm

Copper Contributor

Aug 22, 2022

Thank you so much for your answer and help.
I used:
Connect-Graph -Scopes User.ReadWrite.All, Organization.Read.All
Select-MgProfile -Name "beta"

but still getting this privileges error:

Get-MgDirectoryObject : Insufficient privileges to complete the operation.
At line:13 char:21
+ Get-MgDirectoryObject -DirectoryObjectId "$_" |
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ({ DirectoryObje...ndProperty = }:<>f__AnonymousType2`3) [Get-MgDirectoryObject_Get1], RestException`1
+ FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgDirectoryObject_Get1
Get-MgDirectoryObject : Insufficient privileges to complete the operation.
At line:13 char:21

It never asked me for any tenant credentials.

Catarinagm
Copper Contributor
Aug 22, 2022
PS C:\WINDOWS\system32> Get-MgDirectoryObject -DirectoryObjectId xxxx

Id DeletedDateTime
-- ---------------
xxx

I have the permissions to run it individually
- LainRobertson
  Silver Contributor
  Aug 22, 2022
  Catarinagm
  
  If your account has the necessary rights, you can just leave -Scopes out.
  
  That said, you can run Connect-MgGraph as many times in a row as you like to change the -Scopes specification (i.e. you don't have to keep disconnecting and logging back on.)
  
  If leaving -Scopes out doesn't work for you, then put it back in with the following scope:
  
  Directory.Read.All
  
  You don't really need write access for this script, and neither of the two scopes you provided are broad enough for running Get-MgDirectoryObject.
  
  Cheers,
  Lain

Forum Discussion

See groups menbership of a list of users

Share

Resources