I was wondering if it's possible to automate add/remove group memberships from devices?
Basic concept: I have a bunch of devices with a certain group-role. I want to remove this group role from a device if the device display name matches a record in a .csv file. How would I approach this?
extra info: Azure AD joined devices.
• Yes, you can add/remove devices which is a member of multiple groups in Azure AD. But you need to maintain a file, i.e., a csv file as you said for each group that exists in your environment. You can also create a custom role assignment for this purpose and assign it the ‘microsoft.directory/groups/members/update’ permissions so that the user which is assigned this role assignment will have privileges to only update(add/delete/modify) the groups in Azure AD.
• For this purpose, you can use the below script by logging into Azure Powershell through the custom role assigned user id and executing it by locating the correct csv file for the respective groups to remove the device from the respective group. Also, request you to download the updated CSV file for the group from which devices are to be removed from Azure AD.
‘ $cred=Get-credentials
Connect-AzureAD $cred
$devices=Import-Csv -Path ‘<Path of the csv file containing group members
details>’
foreach($device in $devices){
Remove-AzureADGroupMember -ObjectId “ObjectID of the Group” -MemberID
$device.ObjectId
} '
• However, you will have to use ‘Object ID’ parameter of the device rather than ‘Display Name’ as display name as an argument is not supported in ‘Remove members from group’ operation.
Please refer the below link for more details: -
https://learn.microsoft.com/en-us/powershell/module/azuread/remove-azureadgroupmember?view=azureadps-2.0
Related
If my name includes characters like ä or ö, I'd like to create a home directory without those characters automatically when I log in to the computer connected to my Azure AD directory.
There are no settings to tell which name to use as your home directory or is it?
First name Eino
Last name Mäkitalo
DisplayName Eino Mäkitalo
Will create a directory c:\Users\EinoMäkitalo.
I prefer to have directory without ä like "eino" or something that also US made programs / programmers can survive because they don't understand utf-8 etc :-)
Any simple ideas which allow me to use my own name.
• When you login to an Azure AD joined system, the user home directory path is usually set to ‘C:\Users<UPN>’ where ‘UPN’ is the user principal name that is set for that user in Azure AD. Also, UPN has its format as ‘abc#domainname.com’ where ‘abc’ is the logon attribute assigned or created during user creation.
• So, if you try to create users or modify user principal names of the users that would be created or are created already by excluding alphabets ‘a’ and ‘o’, then then user home directory that would be created automatically in the default path would not include the alphabets ‘a’ and ‘o’. Thus, for creating new users in bulk without the alphabets ‘a’ and ‘o’, use the following powershell script but also keep in mind to modify the Bulk users csv file with the required UPN naming changes and then run this script accordingly: -
‘ Connect-AzureAD
Import-Csv -Path “E:\Data\ADUsers.csv” | foreach {New-AzureADUser -
DisplayName $_.DisplayName -FirstName $_.FirstName -LastName $_.LastName -
UserPrincipalName $_.UserPrincipalName} | Export-Csv -Path
“E:\Data\Results.csv” ‘
• Once the UPN attribute has been changed with the required changes, then logging in the azure AD joined machine, the user home directory will be created afresh with the name of the UPN of the logged in user. Incase, if you want to change the user home directory, you will have to change it through the registry editor of the local machine as below: -
Logout of the azure AD user and login with the local administrator account.
Copy the Azure AD user profile to the new location, ensure proper permissions are set.
Modify the registry value of ProfilesDirectory under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to point to the new location.
Please find the below links for more understanding: -
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-bulk-add
I am querying Active Directory from SQL Server via a Linked Server called LDAP.
The linked server was created thus, authenticating through a specially created service account myDomain\ServiceAccountWithNoPermissions.
exec master.dbo.sp_addlinkedserver #server = N'LDAP', #srvproduct=N'Active Directory Service Interfaces', #provider=N'ADSDSOObject', #datasrc=N'adsdatasource'
exec master.dbo.sp_addlinkedsrvlogin #rmtsrvname=N'LDAP',#useself=N'False',#locallogin=NULL,#rmtuser=N'myDomain\ServiceAccountWithNoPermissions',#rmtpassword='########'
And I'm querying the members of a specific Active Directory Group with the following:
select *
from OpenQuery (LDAP, '
select objectGUID, sAMAccountName
from ''LDAP://myServer.myDomain.com/DC=myDomain,DC=com''
where MemberOf=''CN=Some Group,OU=Folder,DC=myDomain,DC=com''
order by sAMAccountName asc
');
Here's my problem. The above system is working correctly for some Active Directory Groups and not others.
By default I think Authenticated Users is supposed to be able to query any User or Group objects in Active Directory. And as a test I verified that the effective permissions of myDomain\ServiceAccountWithNoPermissions includes "Read all properties" on Groups for which the members are both queryable and non-queryable.
What could be the difference between Groups that are queryable and non-queryable?
You didn't describe what you mean by it working incorrectly, so I can only guess. But the most obvious thing I can see is that you're querying the membership of a group by using memberOf. Depending on how your environment is setup, that may not give you all the results you hope for. I wrote about this, but here's the important part:
Groups only get added to memberOf if they have a Group Scope of:
Universal and are in the same AD forest as the user, or
Global and are on the same domain.
Groups do not get added to memberOf if they have a Group Scope of Global and are on another domain (even if in the same forest).
On top of that, memberOf will only include Domain Local groups from the same domain of the server you are retrieving results from. (if you are working in a multi-domain environment and reading from a Global Catalog, this may not be the same domain the user is from)
It will also not report the user’s primary group (usually Domain Users), if that’s important to you, nor will it include groups on external trusted domains.
The most reliable way to find all the members of a group is to read the member attribute of the group itself. But if the group is used as the primary group for any users, then you would also have to use a different way to find those.
Do AAD Group objects have onPremisesDomainName property, similar to that in User objects. I did not find it in the doc
Just wondering why there isn't a parity with User objects.
The onPremisesDomainName contains the on-premises domainFQDN, also called dnsDomainName synchronized from the on-premises directory.The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
The domainFQDN and DnsDomainName have been added for Group objects as of version 1.1.553.0. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history
There are a number of similar threads worth checking out.
Find Domain Name in Active Directory
Get domain\username from microsoft graph
Is it possible to create an Azure AD dynamic group based on the user's other group memberships, or can it only be dynamically assigned based on user properties?
What I would like to create is an "Everyone" type group that will include everyone except users that are in an ExceptionGroup. This is for O365 licensing, so by default all users will get a base O365 license, but users that need Project will have a different license applied.
(The reason it needs to be completely separate is because of a conflict between the SharePoint licenses required for O365 Business Premium and Project -- if there was another way around that part of the problem, I might be able to avoid this type of dynamic group.)
Philippe is correct that you cannot directly create a query that uses group membership as a criteria, but if you are syncing your Azure AD against an on-premise ActiveDirectory environment, you can certainly use scheduled scripts to put values into the extensionAttributeX fields, and then build criteria based upon those without issues.
We needed to use the distinguishedName parameter to create dynamic groups based on OU membership, but the DN field is also not supported. So, using a scheduled job running a Powershell script I update the value of extensionAttribute9 to the DN if it has changed, and then our Azure Connect synchronization takes care of getting that data into Azure AD for the dynamic group member assignment.
An example of a Powershell script to do that for a group membership would look something like this:
Import-Module ActiveDirectory
$exclude = Get-ADGroupMember -Identity "excludeGroup" -Recursive | select -ExpandProperty SamaccountName
$population = Get-ADUser -Filter {enabled -eq $true}
foreach($p in $population) {
if (-not $exclude.Contains($p.SamAccountName)) { Set-ADUser -Replace #{extensionAttribute4 = "Good"} }
}
Put that into a script that you run on a scheduled basis and then you create your dynamic Azure AD group membership based on the value in extensionAttribute4 (or whichever extensionAttribute you are not already using or prefer).
Do make sure you are syncing those fields between your local AD and Azure AD, but IIRC those are in the default set.
No, it is not currently possible to use group membership as a part of the query for a dynamic group.
When I use:
string graphRequest = $"{graphResourceUri}/me/memberOf?api-version=1.6";
I get an empty array because my logged in user isn't a member of any Azure Groups (I'm assuming).
What I want is to get the list of Windows Domain Active Directory groups this user is a member of. Is there no way to retrieve this? I don't care about Azure groups.
I found out that it was because we didn't sync any groups between our Active Directory and Azure, we only synced users. After syncing the necessary AD group now it shows up when I query the user's group member within Azure.