PowerShell Script to check if certain Azure AD users are in certain Azure AD groups

A bit of a mouthful that heading! Basically, we use Azure AD groups to manage certain aspects of our MEM deployment.

The script requires the AzureAD module (It will check for and prompt you to install it if you run the script as Admin) and a csv file with the users UPNs in a column with the heading ‘user’ edit the variable $groups to contain the groups you require.

The output is a CSV, with column headings for the user and a column for each group. Yes or No in the data to say if the user is in or out of a particular group:


Add-Type -AssemblyName System.Windows.Forms #required for file dialog
if (Get-Module -ListAvailable -Name Azuread) {
    Write-Host "AzureAD Module exists, loading"
	Import-Module Azuread 
	} 
else {
    #no module, does user hae admin rights?
    Write-Host "AzureAD Module does not exist please install`r`n with install-module azuread" -ForegroundColor Red
	
		if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
		[Security.Principal.WindowsBuiltInRole] "Administrator")) {
			Write-Host "Insufficient permissions to install module. Please run as an administrator and try again." -ForegroundColor DarkYellow
            return(0)
		    }
		else {
		    Write-Host "Attempting to install Azure AD module" -ForegroundColor Cyan
		    Install-Module AzureAD -Confirm:$False -Force
        }
	
}
Connect-AzureAD
$start = Get-Date
# lets create an array of our groups
$Groups = @("Group1", "Group2", "Group3", "Group4", "Group5", "Group6")
# next an array to hold the results..
$Results = @()
# Now Lets get the input and output files....
$FileBrowser = New-Object System.Windows.Forms.OpenFileDialog -Property @{InitialDirectory = [Environment]::GetFolderPath('Desktop')
Filter = 'Spreadsheets (*.csv)|*.csv'
Title = 'Select input file'
}
$null = $FileBrowser.ShowDialog()
$infile = $FileBrowser.FileName
$users = Import-Csv -path $infile
# OK, now we have the users, lets cycle through and check if they are in the groups..
$progress = 0
$secondsElapsed = 0
ForEach($user in $users) {
    $progress++
    $percentComplete = ($progress / $users.Count) * 100
    $progressParameters = @{
        Activity = "Woring on Users [$($progress)/$($users.Count)] $($secondsElapsed.ToString('hh\:mm\:ss'))"
        Status = 'Processing'
        CurrentOperation = "Checking $user"
        PercentComplete = $percentComplete
    }
     # if we have an estimate for the time remaining, add it to the Write-Progress parameters
    if ($secondsRemaining) {
        $progressParameters.SecondsRemaining = $secondsRemaining
    }

    # Write the progress bar
    Write-Progress @progressParameters

    $userobjid = (Get-AzureADUser -objectid $user.user).objectid
    $userobject = new-object psobject
    $userobject | add-member -membertype NoteProperty -Name "username" -Value $user.user
    foreach($group in $groups){
        write-host working on $group
        $objid=(Get-AzureADGroup -SearchString $Group).objectid
        #Write-host checking is user is in group
        $isingroup = Get-AzureADUserMembership -ObjectId $userobjid | Where-Object {$_.DisplayName -like $group}
        $test = $group
            If($isingroup -ne $null){
                
                $userobject | add-member -membertype NoteProperty -Name $group -Value "yes"
            }
            else{
                
                $userobject | add-member -membertype NoteProperty -Name $group -Value "no"
            }
            }
        $results += $userobject
        $userobject = $null
        $secondsElapsed = (Get-Date) – $start
        $secondsRemaining = ($secondsElapsed.TotalSeconds / $progress) * ($users.Count – $progress)
}

$Results | Export-CSV -Path "C:\support\CheckOuput.csv" -NoTypeInformation

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.