Im trying to list all azure ad groups where the displayname ends with "Reader"
Get-AzureRmADGroup -SearchString "Reader"
And the Microsoft example says
Example 2: Get groups by search string
This command gets all Active Directory groups that **include** Patti in the display name.
Windows PowerShell
PS C:\> Get-AzureRmADGroup -SearchString "Patti"
But my result is blank when i try to do this, what I'm i missing?
Try the command below.
Get-AzureRmADGroup | Where-Object {$_.DisplayName -like "*Reader"}
Test Result(In order to speed up the operation, use a -First 5, you can ignore it):
Related
I'm hoping to use the updated graph powershell commands to be able to pull more information on deleted users.
I'm trying to use:
Get-AzureADUser -Filter "aad.IsDeleted eq 'True'"
but it returns the error:
The child type 'aaad.IsDeleted' in a cast was not an entitity type.
Ho do I filter for deleted accounts, if possible, so that I can also do a select to include additional parameters / attributes?
I'm hoping to be able to know when an account was deleted, a description, etc.
Moving some users to cloud only so we need to move them in AD to a container that is excluded from AD Connect. Then need to use a script to undelete them and validate licenses are still in use.
I know with
get-MsolUser -ReturnDeletedUsers
works, however I haven't been able to figure out how to return additional values / parameters / attributes.
It doesn't appear that Get-AzureADUser or Get-AzADUser have a way of filtering or returning deleted users. You can't even use -Filter as the property is not returned from the API call.
You can however workaround this slightly and call the API directly.
$result = Invoke-AzRestMethod -Uri 'https://graph.microsoft.com/beta/directory/deleteditems/microsoft.graph.user'
$jsonOutput = $result.content | ConvertFrom-Json
$jsonOutput.value | Select-Object id, displayName, mail, deletedDateTime
There are a couple of examples on github where people have written functions to assist with making those calls:
https://github.com/Azure/GuardrailsSolutionAccelerator/blob/0f3f4994c03d8e47d7d67bd790ba3b290f37560a/src/GUARDRAIL%202%20MANAGEMENT%20OF%20ADMINISTRATIVE%20PRIVILEGES/Audit/Check-DeletedAndDisabledUsers.psm1
and
https://github.com/Panzerbjrn/AzureGraphApiHelper/blob/4cd2dcd1067bdabd349b044f1760bb958d54179d/AzureGraphApiHelper/Functions/Get-AGDeletedUsers.ps1
• You can surely get all the details of the deleted Azure AD user accounts from your tenant through the below command. Also, you can use filter and attributes as shown below along with this command for sorting out specific details for a particular deleted user account: -
Command: -
Get-MsolUser -ReturnDeletedUsers -MaxResults 50 -EnabledFilter All | Export-Csv -Path C:\Users\v-kartikb\Downloads\Reatapp\delete4.csv ’
Output: -
Similarly, if you want to get any information regarding a specific user or search a user ID based on the search string, then please refer to the below commands: -
Get-MsolUser -ReturnDeletedUsers | FL UserPrincipalName,ObjectID
Get-MsolUser –ReturnDeletedUsers –SearchString <User UPN>| FLUserPrincipalName,ObjectID
Also, do ensure that you will have to sign into Microsoft Office 365 service for executing the above commands successfully by executing the below command successfully: -
Connect-MsolService
Also, you can get the details of any deleted user if you have the object ID with you by executing the below Azure AD command through powershell: -
Connect-AzureAD
Get-AzureADMSDeletedDirectoryObject -Id <ObjectID>
Output: -
Please find the below link for more details regarding the above commands: -
http://ajaxtechinc.com/question/manage-delete-users-office-365-recycle-bin/
This can be accomplished using the graph api and the Azure CLI for auth
$deletedUsers = az rest `
--method "GET" `
--url "https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.user" `
--headers "Content-Type=application/json" | ConvertFrom-Json
I need to add the Sites.FullControl.All api permission in an app registration via powershell, but i can't find the id . already have find the id of various api like AllSites.FullControl with the command
`$svcSharePoint = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Office 365 SharePoint Online" }
$svcSharePoint.Oauth2Permissions | FT ID, Value
`
Any Ideas?
This is what I'm expecting.
I tested in my environment. I'm able to retrieve the IDs of Application permissions successfully like below:
Please note that Sites.FullControl.All is an Application Permission not Delegated Permission.
Using below cmdlet, you will only get a list of delegated permissions IDs.
$svcSharePoint.Oauth2Permissions | FT ID, Value
To get a list of application permissions IDs, you have to make use of below cmdlet:
$svcSharePoint.AppRoles | FT ID, Value
The ID of Sites.FullControl.All permission is 678536fe-1083-478a-9c59-b99265e6b0d3
On Azure and with Powershell, I need to list all the subscriptions that are in a specific management group.
The command Get-AzSubscription has no parameter to filter on a specific management group. And there is no powershell command (AzManagementGroup) either to list the subscriptions inside.
I was thinking about creating an msgraph query to do that and call it from powershell, but perhaps there is an easier way to do that? :)
The PowerShell Cmdlet you would want to use is Get-AzManagementGroup. This is how you would use it:
$response = Get-AzManagementGroup -GroupName TestGroupParent -Expand -Recurse
Child subscriptions and management groups can be accessed via Children property. Something like:
$response.Children[0]
The correct way to, recursively, fetch the subscriptions under a given management group is the following:
Search-AzGraph -Query "ResourceContainers | where type =~ 'microsoft.resources/subscriptions'" -ManagementGroup $managementGroupName
The code above expects the $managementGroupName variable to contain the name of the management group
Search-AzGraph -Query "ResourceContainers `
| where type =~ 'microsoft.resources/subscriptions'" -ManagementGroup $managementGroupName -First 200 `
| Format-Table -Property *
The query was good but AZGraph limits you to first 100 results only, so I just changed it a bit to include first 200 results instead.
I'm looking for a way to retrieve information about all users that belong to a particular group and store the results in CSV.
So, I use the following Azure AD command for the purpose:
Get-AzureADGroupMember -ObjectId "xxx" | get-azureaduser | Export-Csv -nti users.csv
However, the command only returns 100 users maximum.
Is there a way to return all the users that belong to a group from the CLI?
Try Get-AzureADGroupMember -ObjectId "xxx" -all $true | ...
Look at https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadgroupmember?view=azureadps-2.0 for reference
Using PowerShell, you can add the parameter -top xxx (-top 500 for example), or -all for all group members.
You can use Get-AzADUser instead!
I have checked in every possible area in the classic Azure portal but I can't seem to find the "Global Administrator" for the directory to which I belong.
Is there a way to find this out in the portal?
You should be able to look up the company administrators in your tenant by making two queries to the AAD or Microsoft Graph API.
The first query will allow you to identify the objectId of the "Company Administrator" role in your tenant.
https://graph.windows.net/<tenant>/directoryRoles
Then you need to find the directoryRole where "roleTemplateId": "62e90394-69f5-4237-9190-012177145e10", and save the objectId.
Next you can query the members of that directoryRole using the following:
https://graph.windows.net/<tenant>/directoryRoles/<objectId>/members
Try it all out using the Graph Explorer, and it's demo Tenant:
Query 1
Query 2
Let me know if this helps!
Global Administrators are also called Company Administrators. The following PowerShell script can help you print out all your Company Administrators. The Install-Module is included in case you do not already have the AzureAD PS Module installed.
# Install-Module AzureAD
Connect-AzureAD -TenantID [Your Tenant ID]
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser
Currently there's no way on the portal, however using PowerShell, enter the following code:
Connect-MsolService #to connect to your Azure tenant
Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName "Company Administrator").ObjectId