Forum Discussion
See groups menbership of a list of users
Hi,
The easy answer is that you're trying to get the UserPrincipalName of the Group rather than the user, which returns null because the group doesn't have a UserPrincipalName.
As the variable $_. has already been overwritten by Get-AzureAdUsermembership you can't really reference back.
I have written a Powershell script that would do the job and shared it on Github:
https://github.com/Raindrops-dev/RAIN-TechCommunityContributions/blob/main/Get-AzureAdGroupMembership.ps1
Check it out and let me know if it fits your requirements.
EDIT: Apparently I was too slow and LainRobertson already came with a more modern solution!
I used:
Connect-Graph -Scopes User.ReadWrite.All, Organization.Read.All
Select-MgProfile -Name "beta"
but still getting this privileges error:
Get-MgDirectoryObject : Insufficient privileges to complete the operation.
At line:13 char:21
+ Get-MgDirectoryObject -DirectoryObjectId "$_" |
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ({ DirectoryObje...ndProperty = }:<>f__AnonymousType2`3) [Get-MgDirectoryObject_Get1], RestException`1
+ FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgDirectoryObject_Get1
Get-MgDirectoryObject : Insufficient privileges to complete the operation.
At line:13 char:21
It never asked me for any tenant credentials.
Id DeletedDateTime
-- ---------------
xxx
I have the permissions to run it individually
If your account has the necessary rights, you can just leave -Scopes out.
That said, you can run Connect-MgGraph as many times in a row as you like to change the -Scopes specification (i.e. you don't have to keep disconnecting and logging back on.)
If leaving -Scopes out doesn't work for you, then put it back in with the following scope:
- Directory.Read.All
You don't really need write access for this script, and neither of the two scopes you provided are broad enough for running Get-MgDirectoryObject.
Cheers,
Lain
