Introduction
In this post, we’ll explore how to use PowerShell and Microsoft Graph to automate group membership checks in Microsoft Entra ID (Azure Active Directory), supporting the implementation of Conditional Access rules.
Verifying Group Memberships for Conditional Access
One day I needed to check if certain users based on specific keywords are members of certain groups that are used in Conditional Access policies. The general recommendation is to use dynamic groups whenever possible, as they automatically update memberships based on user or device properties. However, in this case, I wanted to do a quick verification and see if there was any configuration drift that required changes.
This verification is important because if users who need specific restrictions aren’t in the right group, they won’t be subject to the correct Conditional Access rules, potentially creating security issues.
Automating this process with PowerShell and Microsoft Graph allows for:
- Searching for users based on specific criteria
- Checking their membership in required security groups
- Identifying discrepancies that could affect Conditional Access policies
Prerequisites
Before running the script, ensure you have:
- PowerShell 5.1 or PowerShell 7
- Microsoft Graph PowerShell SDK installed
- Appropriate permissions in Microsoft Entra ID to read user and group information
The PowerShell Script for Microsoft Entra ID Group Checks
Here’s a script that uses PowerShell and Microsoft Graph to automate group membership checks in Microsoft Entra ID:
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All","Group.Read.All"
# Define the search query with keyword
$KeyWord = "your_search_term"
$SearchQuery = '"displayName:{0}" OR "mail:{0}" OR "userPrincipalName:{0}" OR "givenName:{0}" OR "surname:{0}" OR "otherMails:{0}"' -f $KeyWord
# Get the users based on the search query
$Users = Get-MgUser -Property "id,displayName,userPrincipalName,userType,onPremisesSyncEnabled,identities,companyName,creationType" -ConsistencyLevel eventual -Search $SearchQuery -All
# Define the group ID
$GroupId = "your_group_id_here"
# Get the group members
$GroupMembers = Get-MgGroupMember -GroupId $groupId
# Create an array to store the results
$NonMembers = @()
# Check each user and add non-members to the array
foreach ($User in $Users) {
if ($GroupMembers.Id -notcontains $User.Id) {
$NonMembers += [PSCustomObject]@{
UserId = $User.Id
DisplayName = $User.DisplayName
UserPrincipalName = $User.UserPrincipalName
UserType = $User.UserType
CompanyName = $User.CompanyName
CreationType = $User.CreationType
}
}
}
# Display the results
If($NonMembers.Count -gt 0) {
Write-Host "The following users are not members of the specified group:" -ForegroundColor Yellow
$NonMembers | Format-Table -AutoSize
}Else {
Write-Host "All users from the search query are already members of the specified group." -ForegroundColor Green
}
# Display the count of non-members
Write-Host "Total number of users not in the group: $($NonMembers.Count)" -ForegroundColor Cyan
Conclusion
This PowerShell script, using Microsoft Graph, automates group membership checks in Microsoft Entra ID. By using this automation, you can:
- Improve the security of your Microsoft Entra ID environment
- Ensure Conditional Access rules are applied consistently
- Reduce time spent on manual group membership audits
- Maintain better control over user access in your ecosystem
While this script is useful for quick checks and verifications, remember that dynamic group memberships in Microsoft Entra ID offer a more sustainable, long-term solution for managing group memberships based on user attributes. Consider implementing dynamic groups where possible to reduce the need for manual checks and updates.
