I have been trying to find a way to bulk add users to a group from a variable.
I create my variables.
Test my variables. And then when I use them, the system interprets them in a way I didn't expect. Has anyone figured out how to best automate this process?
PS C:\WINDOWS\system32> $user = get-MsolUser | Select ObjectID
PS C:\WINDOWS\system32> $user
ObjectId
--------
97232511-7ea5-4f26-9372-************
baa75007-e0fc-4265-b17c-************
PS C:\WINDOWS\system32> $group = get-MsolGroup -ObjectId 776da14a-9c10-4dd1-b880-************ | Select ObjectID
PS C:\WINDOWS\system32> $group
ObjectId
--------
776da14a-9c10-4dd1-b880-************
PS C:\WINDOWS\system32> Add-MsolGroupMember -GroupObjectID $group -GroupMemberType User -GroupMemberObjectId $user
Add-MsolGroupMember : Cannot bind parameter 'GroupObjectId'. Cannot convert the "#{ObjectId=776da14a-9c10-4dd1-b880-d0646d49e926}"
value of type "Selected.Microsoft.Online.Administration.Group" to type "System.Guid".
At line:1 char:36
+ Add-MsolGroupMember -GroupObjectID $group -GroupMemberType User -Grou ...
+ ~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Add-MsolGroupMember], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.Online.Administration.Automation.AddGroupMember
PS C:\WINDOWS\system32>
Try this while selecting a group and then pass it to the Add-MsolGroupMember cmdlet.
$group = get-MsolGroup -ObjectId 776da14a-9c10-4dd1-b880-************ | Select-Object -ExpandProperty ObjectID
Alternative to answer provided.
$group = get-MsolGroup -ObjectId 776da14a-9c10-4dd1-b880-************
$users = get-MsolUser
foreach($user in $users){
Add-MsolGroupMember -GroupObjectID $group.objectId -GroupMemberType User -GroupMemberObjectId $user.objectId
}
Because you're returning multiple users you'll want to foreach them as the cmdlet only accepts one argument for the -GroupMemberObjectId. Also with your current set up getting the group is obsolete since you already know the object id you could achieve the same with.
$groupObjectId = "776da14a-9c10-4dd1-b880-************"
$users = get-MsolUser
foreach($user in $users){
Add-MsolGroupMember -GroupObjectID $groupObjectId -GroupMemberType User -GroupMemberObjectId $user.objectId
}
Related
I am trying to run a simple Powershell command let, which is listing all devices matching name criteria and in the next step is moving these devices to a select Azure group.
I tried with:
$result = Get-AzureADDevice -All $True -SearchString "LAP-BK" | ForEach-Object -Process {Add-AzureADGroupMember -ObjectId "25f94620-d850-4ec6-9476-050429d44926" -RefObjectId "$result.ObjectId"}
but that throwing errors. I also tried with
$result = Get-AzureADDevice -All $True -SearchString "LAP-BK" |Select-Object ObjectId
forEach ($item in $result)
{
Add-AzureADGroupMember -ObjectId "25f94620-d850-4ec6-9476-050429d44926" -RefObjectId "$item"
}
exit
The error are various, the last one I get was:
Error occurred while executing AddGroupMember Code: Request_BadRequest Message: Invalid object identifier ' #{ObjectId=debb95af-9h1f-49d6-ad84-8438f9c99b10}'. RequestId: 6df36830-7708-4f6b-b836-cd065f5f60b1
I tried to figure out the error from my end by running your script line by line, and I was able to find exactly where it was occurring:
Referring to Jamesyumnam article, I was able to successfully create and run the below script.
$groupName = "<groupName>"
Connect-AzureAD
$groupObject = Get-AzureADGroup -SearchString $groupName
$outcome = Get-AzureADDevice -SearchString "xxxxxx" | select-object objectID
try{
foreach ($item in $outcome)
{
$deviceObj = Get-AzureADDevice -SearchString $item.DeviceName
Add-AzureADGroupMember -ObjectId $groupObject.ObjectId -RefObjectId $item.ObjectId
}
}
catch {
Write-Host "Device not existed"
}
Executed in Azure PowerShell:
Member added in Azure Portal:
Note: It will be more helpful if you include try{} catch{} blocks in your code to find these kinds of blockers.
Can some one help to get the details of all users from Azure for their Role assignement with -ExpandPrincipalGroups.
I have tried for one user and it is working fine but when i run the query for all azusers then it gives an error.
Here is the command I am trying:
$user = (Get-AzADUser).UserPrincipalname
Get-AzRoleAssignment -SignInName $user -ExpandPrincipalGroups | Select-Object DisplayName,RoleDefinitionName, Scope
Get-AzRoleAssignment -SignInName $user -ExpandPrincipalGroups | Select-Object DisplayName,RoleDefinitionName, Scope
Get-AzRoleAssignment : Cannot find principal using the specified options
At line:1 char:1
+ Get-AzRoleAssignment -SignInName $user -ExpandPrincipalGroups | Selec ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzRoleAssignment], KeyNotFoundException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.GetAzureRoleAssignmentCommand
welcome back suri,
you need to pass the parameter SignInName of the command Get-AzRoleAssignment as string not a list
Get-AzRoleAssignment
-SignInName <String>
-ResourceGroupName <String>
[-RoleDefinitionName <String>]
[-IncludeClassicAdministrators]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
so this could be handled as follow
(Get-AzADUser).UserPrincipalname | % { Get-AzRoleAssignment -SignInName $_ | Select-Object DisplayName,RoleDefinitionName,Scope}
DisplayName RoleDefinitionName Scope
----------- ------------------ -----
Mahmoud Moawad Owner /subscriptions/XXXXX-XXXX-XXXXX-XXXX-XXXX
Mahmoud Moawad User Access Administrator /
Here is the code that I have written and modified several times, but still cannot get to work. Any help would be greatly appreciated. I keep receiving the following errors:
Get-AzureADUser : Cannot bind argument to parameter 'ObjectId' because it is null** and **New-AzureADUserAppRoleAssignment : Cannot bind argument to parameter 'ObjectId' because it is null.
# Assign the global values to the variables for the script.
$app_name = "App Name"
$app_role_name = "User"
$users = Get-Content 'Path\Users.txt'
$Credential=Get-StoredCredential -UserName #####
# Connect to Azure AD using Azure AD Powershell
Connect-AzureAD -Credential $Credential
# Get the user to assign, and the service principal for the app to assign to
foreach ($user in $users) {
$AADuser = Get-AzureADUser -ObjectId $user
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
}'''
I want to make a powershell script that would list me Users list from Azure AD and all Enterprise application assigned to every user from the list.
I have tried to set ForEach-Object loop to iterate each object I would get from Get-AzureADUser
This code works:
$UserId = (Get-AzureADUser -Top 1).ObjectId
Get-AzureADUserAppRoleAssignment -ObjectId $UserId
I 'm trying to loop and iterate for every single output:
$UserId = (Get-AzureADUser).ObjectId | ForEach-Object {
Get-AzureADUserAppRoleAssignment -ObjectId $UserId}
Here is the error message:
Get-AzureADUserAppRoleAssignment : Cannot convert 'System.Object[]' to the type 'System.String' required by parameter 'ObjectId'. Specified method is not supported.
At line:1 char:44
+ Get-AzureADUserAppRoleAssignment -ObjectId $UserID
+ ~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-AzureADUserAppRoleAssignment], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgument,Microsoft.Open.AzureAD16.PowerShell.GetUserAppRoleAssignments
You may create the loop for Get-AzureADUserAppRoleAssignment by these commands below:
$UserId = (Get-AzureADUser).ObjectId
foreach ($eachUserId in $UserId)
{
Get-AzureADUserAppRoleAssignment -ObjectId $eachUserId
}
I'm trying to update AzureADGroupMember for multiple users in a CSV File by Employee.
This is what I've got assisted with, but looking to have it update by UPN instead of EmployeeID. This was the successful code that updates ADGroupMember by UPN.
$users = Import-csv "C:\Temp\testgroup2.csv"
$users | ForEach-Object{
Add-AzureADGroupMember -ObjectId 599992-xxxxxxxxxx-699999e9e -
RefObjectId (Get-AzureADUser -ObjectId $_.UPN).ObjectId
}
This is the code where I changed UPN to update by EmployeeID in the CSV.
$users = Import-csv "C:\Temp\testgroup2.csv"
$users | ForEach-Object{
Add-AzureADGroupMember -ObjectId 599992-xxxxxxx-6ee9999e -
RefObjectId (Get-AzureADUser -ObjectId $_.EmployeeID).ObjectId
}
This is the error message I get when trying to update by EmployeeID.
Get-AzureADUser : Error occurred while executing GetUser Code:
Request_ResourceNotFound Message: Resource '18616' does not exist or one
of its queried reference- property objects are not present.
This is what I used to verify that the employee actually has an EmployeeID in Azure.
Get-AzureADUser -ObjectID Xxxxx#hxxxxxx.com | Select-Object *
Any idea why it's reading that the employeeID doesn't exist in Azure even though I've verified?
Thank you,
Update: Adding screenshot of my csv setup, I only have Employee ID in there:
CSV Setup
Update 2: Screenshot of the script I'm running in powershell: Script in PS
The employeeId is not the same with ObjectId, so you could not pass employeeId
to the ObjectId property.
Try the script as below, it works fine on my side.
$users = Import-csv "C:\Users\joyw\Desktop\testgroup.csv"
foreach($user in $users){
$refobjectid = (Get-AzureADUser | Where-Object {$_.ExtensionProperty.employeeId -eq $user.employeeId}).ObjectId
Add-AzureADGroupMember -ObjectId 9d42d3ea-xxxxxxxx-c31428b600ad -RefObjectId $refobjectid
}
My .csv file:
UPN,Role,employeeId
leeliu#xxxxxx.onmicrosoft.com,role1,12345
test#xxxxxx.onmicrosoft.com,role2,123