Get Entra ID User Group Membership with PowerShell on endpoints

Microsoft 365

10 MIN READ

Get Entra ID User Group Membership with PowerShell on endpoints

[email protected]
December 6, 2023

Use this PowerShell script and Azure logic app to get the Entra ID Group membership of a user in a safe and secure way. I’ve created this solution to be able to execute certain code based on the user’s group membership.

Back in the day it would be easy to request the user’s group memberships with whoami /groups and you’re all set. This changed with Entra ID joined devices. In this blog I use a logic app to read the group membership, which is more secure vs using an appid and secret and connect to graph directly on endpoints, since this can be used to query other data and groups as well.

Prepare Azure resources

Start with creating a logic app and assign it a “System Assigned ID” as shown below in the screenshot.

In the Azure Active Directory portal, assign the system managed ID User and Group Reader rights (or Global Reader).

Configure Logic App

1. Start the logic app with an HTPP trigger, which we will use in the PowerShell script to requests the data needed to map the folders. You will need to copy this URL in the PowerShell script.

Schema:
{
    "properties": {
        "upn": {
            "type": "string"
        }
    },
    "type": "object"
}Code language: JavaScript (javascript)

2. With the UPN received from the PS script, we will now request Azure AD with detailed information we need to request the group membership. The green window indicates it’s an HTPP Request.

3. Purple windows are parse Json actions. With this action we grab the ID of the user only, as we don’t need the other information:

Schema:
{
    "properties": {
        "@@odata.context": {
            "type": "string"
        },
        "id": {
            "type": "string"
        }
    },
    "type": "object"
}Code language: JavaScript (javascript)

4. Next we grab the user’s groups, the purple id is a dynamic value from the parse user action.

5. Parse this information as well:

{
    "properties": {
        "@@odata.context": {
            "type": "string"
        },
        "value": {
            "items": {
                "properties": {
                    "displayName": {
                        "type": "string"
                    }
                },
                "type": "object"
            },
            "type": "array"
        }
    },
    "type": "object"
}Code language: JSON / JSON with Comments (json)

The PowerShell Script

This scripts is fairly simple, as most of the logic is handled by the Logic App. Simply modify the URL in the script and it should return the json value with the group membership of the user, which is then serialized to an array.

#EntraID GroupMembership
#2023.06.12 prof-it.services

$upn = whoami /upn

$uri = "ADDYOURLOGICAPPURLHERE"

$postBody = @{
    upn = $upn
} | ConvertTo-Json
$response = Invoke-WebRequest -Method POST -Uri $uri -UseBasicParsing -Body $postBody -ContentType "application/json"

$groups = $response.Content | ConvertTo-Json -AsArrayCode language: PHP (php)