Microsoft Entra ID: Automating Group Checks for Conditional Access with PowerShell and Microsoft Graph

Introduction

In this post, we’ll explore how to use PowerShell and Microsoft Graph to automate group membership checks in Microsoft Entra ID (Azure Active Directory), supporting the implementation of Conditional Access rules.

Verifying Group Memberships for Conditional Access

One day I needed to check if certain users based on specific keywords are members of certain groups that are used in Conditional Access policies. The general recommendation is to use dynamic groups whenever possible, as they automatically update memberships based on user or device properties. However, in this case, I wanted to do a quick verification and see if there was any configuration drift that required changes.

This verification is important because if users who need specific restrictions aren’t in the right group, they won’t be subject to the correct Conditional Access rules, potentially creating security issues.

Automating this process with PowerShell and Microsoft Graph allows for:

  • Searching for users based on specific criteria
  • Checking their membership in required security groups
  • Identifying discrepancies that could affect Conditional Access policies

Prerequisites

Before running the script, ensure you have:

  • PowerShell 5.1 or PowerShell 7
  • Microsoft Graph PowerShell SDK installed
  • Appropriate permissions in Microsoft Entra ID to read user and group information

The PowerShell Script for Microsoft Entra ID Group Checks

Here’s a script that uses PowerShell and Microsoft Graph to automate group membership checks in Microsoft Entra ID:

				
					<#
    =================================================================================
    DISCLAIMER:
    This script is provided "as-is" with no warranties. Usage of this script is at
    your own risk. The author is not liable for any damages or losses arising from
    using this script. Please review the full legal disclaimer at:
    https://kaidojarvemets.com/legal-disclaimer/
    =================================================================================
#>
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All","Group.Read.All"

# Define the search query with keyword
$KeyWord = "your_search_term"
$SearchQuery = '"displayName:{0}" OR "mail:{0}" OR "userPrincipalName:{0}" OR "givenName:{0}" OR "surname:{0}" OR "otherMails:{0}"' -f $KeyWord

# Get the users based on the search query
$Users = Get-MgUser -Property "id,displayName,userPrincipalName,userType,onPremisesSyncEnabled,identities,companyName,creationType" -ConsistencyLevel eventual -Search $SearchQuery -All

# Define the group ID
$GroupId = "your_group_id_here"

# Get the group members
$GroupMembers = Get-MgGroupMember -GroupId $groupId

# Create an array to store the results
$NonMembers = @()

# Check each user and add non-members to the array
foreach ($User in $Users) {
    if ($GroupMembers.Id -notcontains $User.Id) {
        $NonMembers += [PSCustomObject]@{
            UserId = $User.Id
            DisplayName = $User.DisplayName
            UserPrincipalName = $User.UserPrincipalName
            UserType = $User.UserType
            CompanyName = $User.CompanyName
            CreationType = $User.CreationType
        }
    }
}

# Display the results
If($NonMembers.Count -gt 0) {
    Write-Host "The following users are not members of the specified group:" -ForegroundColor Yellow
    $NonMembers | Format-Table -AutoSize
}Else {
    Write-Host "All users from the search query are already members of the specified group." -ForegroundColor Green
}

# Display the count of non-members
Write-Host "Total number of users not in the group: $($NonMembers.Count)" -ForegroundColor Cyan
				
			

Conclusion

This PowerShell script, using Microsoft Graph, automates group membership checks in Microsoft Entra ID. By using this automation, you can:

  • Improve the security of your Microsoft Entra ID environment
  • Ensure Conditional Access rules are applied consistently
  • Reduce time spent on manual group membership audits
  • Maintain better control over user access in your ecosystem

While this script is useful for quick checks and verifications, remember that dynamic group memberships in Microsoft Entra ID offer a more sustainable, long-term solution for managing group memberships based on user attributes. Consider implementing dynamic groups where possible to reduce the need for manual checks and updates.

Leave a Comment

Contact me

If you’re interested in learning about Microsoft Entra ID: Automating Group Checks for Conditional Access with PowerShell and Microsoft Graph. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.

Table of Contents