Get Entra ID User Group Membership with PowerShell on endpoints

..\
by prof-it
on December 6, 2023

Get Entra ID User Group Membership with PowerShell on endpoints

Use this PowerShell script and Azure logic app to get the Entra ID Group membership of a user in a safe and secure way. I’ve created this solution to be able to execute certain code based on the user’s group membership.

Back in the day it would be easy to request the user’s group memberships with whoami /groups and you’re all set. This changed with Entra ID joined devices. In this blog I use a logic app to read the group membership, which is more secure vs using an appid and secret and connect to graph directly on endpoints, since this can be used to query other data and groups as well.

This will be the Logic App we’ll create, below are the detailed instructions.

Prepare Azure resources

Start with creating a logic app and assign it a “System Assigned ID” as shown below in the screenshot.

In the Azure Active Directory portal, assign the system managed ID User and Group Reader rights (or Global Reader).

Configure Logic App

1. Start the logic app with an HTPP trigger, which we will use in the PowerShell script to requests the data needed to map the folders. You will need to copy this URL in the PowerShell script.

Schema:
{
    "properties": {
        "upn": {
            "type": "string"
        }
    },
    "type": "object"
}

2. With the UPN received from the PS script, we will now request Azure AD with detailed information we need to request the group membership. The green window indicates it’s an HTPP Request.

3. Purple windows are parse Json actions. With this action we grab the ID of the user only, as we don’t need the other information:

Schema:
{
    "properties": {
        "@@odata.context": {
            "type": "string"
        },
        "id": {
            "type": "string"
        }
    },
    "type": "object"
}

4. Next we grab the user’s groups, the purple id is a dynamic value from the parse user action.

5. Parse this information as well:

{
    "properties": {
        "@@odata.context": {
            "type": "string"
        },
        "value": {
            "items": {
                "properties": {
                    "displayName": {
                        "type": "string"
                    }
                },
                "type": "object"
            },
            "type": "array"
        }
    },
    "type": "object"
}
6. And finally return the parsed json with a http response.

The PowerShell Script

This scripts is fairly simple, as most of the logic is handled by the Logic App. Simply modify the URL in the script and it should return the json value with the group membership of the user, which is then serialized to an array.

#EntraID GroupMembership
#2023.06.12 prof-it.services

$upn = whoami /upn

$uri = "ADDYOURLOGICAPPURLHERE"

$postBody = @{
    upn = $upn
} | ConvertTo-Json
$response = Invoke-WebRequest -Method POST -Uri $uri -UseBasicParsing -Body $postBody -ContentType "application/json"

$groups = $response.Content | ConvertTo-Json -AsArray

Categories:

AzureADDevice ManagementModern Workplace

Tags:

AzuredevicemanagementMicrosoft 365ModernWorkPlace

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *