0 votes

Hi

I'm trying to set up a process where when a user (on prem) is added to an Azure group, they are removed from some conflicting groups automatically.

When the script runs though, I get the following error

Get-AdmPrincipalGroupMembership : The given key was not present in the dictionary

Running the command in a standard powershell generates the same error and no Azure groups are listed in the results. Is there a way to get this to work?

Additionally, we have a number of child domains and the user can be in any of them.

The script as I have it is

Import-Module Adaxes
$userDomain = "root.domain"

$memberDomain ="%member%".Split(",")[-3]
if ($memberDomain -match "DC=") {
    $userDomain = $memberDomain.Split("=")[1] + "." + $userDomain
}

$user = Get-AdmUser -Identity "%member%" -Server $userDomain -AdaxesService localhost
$groups = Get-AdmPrincipalGroupMembership -Identity $user -AdaxesService localhost

foreach ($group in $groups) {
    if ($group.Name -match "Group nameing convention") { Remove-AdmGroupMember -Identity $group -Members $user -Server "domain.onmicrosoft.com" -AdaxesService localhost }
}

Thanks

Matt

by (2.0k points)

1 Answer

0 votes
by (294k points)
selected by
Best answer

Hello Matt,

Unfortunately, this is a known issue in Adaxes. it will be fixed in the upcoming release. As a solution, you can use dedicated Adaxes methods and search instead of the cmdlets. The following article should be helpful: https://www.adaxes.com/sdk/SampleScripts.SearchingGroups.

0

Thanks for the quick reply.

0

Hi

I thought that using native Azure powershell would be easier and cleaner to look at so I wrote the following

Import-Module Adaxes
$userDomain = "domain.com"

$memberDomain ="%member%".Split(",")[-3]
if ($memberDomain -match "DC=") { $userDomain = $memberDomain.Split("=")[1] + "." + $userDomain }

$userUPN = (Get-AdmUser -Identity "%member%" -Server $userDomain -AdaxesService localhost -Properties UserPrincipalName).UserPrincipalName
$Context.LogMessage("$userUPN", "Information")

#Get Credentials and connect to AzureAD
$cred = $Context.GetOffice365Credential()
Import-Module AzureAD
Connect-AzureAD -Credential $cred

$myVar = Get-AzureADTenantDetail
$Context.LogMessage("$($myVar.DisplayName)", "Information")


$userId  = (Get-AzureADUser -SearchString $userUPN).ObjectId
$Context.LogMessage("$userId", "Information")

Get-AzureADUser -SearchString $userUPN | Get-AzureADUserMembership | ForEach-Object {
    $Context.LogMessage("$($_.DisplayName)", "Information")
    if ($_.DisplayName -match "Group naming convention") {
        $Context.LogMessage("Remove $($_.DisplayName)", "Information")
        Remove-AzureADGroupMember -ObjectId $_.objectid -MemberId $userId
    }
}

Disconnect-AzureAD

However, for some reason the users Azure ObjectId never seems to be returned. I'm running this in a business rule which acts before adding a user to the group, but the users UPN is returned. We are quite far behind with the AzureAD module, but the same commands work fine in native powershell. Also, the Get-AzureADTenantDetail command works fine, so I know that I'm connected to AzureAD.

+1

Hello Matt,

If your Microsoft 365 tenant is registered in Adaxes with the credentials of an Azure app, the GetOffice365Credential method will not work. This behaviour is by design. Also, the method is not available in Adaxes 2023. Using the AzureAD module is also not a good idea as it will be deprecated soon. As such, you have two options:

0

Hi

Thanks for the reply. We are currently still using the service account for connecting to Azure due to some restrictions with some of our other custom scripts which I am working through.

I find it strange as I know that we are connected to Azure because the tenant details are being returned to the log following these commands

$myVar = Get-AzureADTenantDetail
$Context.LogMessage("$($myVar.DisplayName)", "Information")

That said, I've managed to get Graph to work, thanks as always for your quick responses.

Matt

0

Hello Matt,

A new version of Adaxes containing a fix for the issue is released. You can download it from here.

What’s New

Upgrade Instructions

Related questions

0 votes
1 answer

As part of offboarding a user I need to generate a report of all AD groups, Entra groups and all Azure / M365 roles and licenses the user has before they ... about keeping a record of the leavers configured profile to simplify cloning them onto new starters.

asked Jun 24 by dhardyuk (20 points)
0 votes
1 answer

Get-AdmPrincipalGroupMembership always throws an exception, even for users which absolutely exist (eg: piped ... :Commands:GetAdmPrincipalGroupMembershipCommand:ProcessRecord,Softerra.Adaxes.PowerShellModule.Commands.GetAdmPrincipalGroupMembershipCommand

asked May 4, 2023 by Viajaz (210 points)
0 votes
1 answer

Hello, I'm trying to write a simple powershell script to check if a user is a member of one of two groups and output a true value if the user is a member of ... intended to be run as Adaxes scheduled tasks or can I use the default Powershell cmdlets instead?

asked Nov 4, 2015 by drew.tittle (810 points)
0 votes
1 answer

Hi We're runing 2023 and have the Azure AD registered. I'm trying to use the Get-AdmGroup to find groups in the Azure domain, but it doesn't come back with any results, though I know the group exists. Is there a way to get the command to do this? Thanks Matt

asked Feb 8, 2023 by chappers77 (2.0k points)
0 votes
1 answer

Is it possible to surface Azure native AAD security groups within the Adaxes console in order to allow users to add themselves?

asked Dec 6, 2022 by sirslimjim (480 points)
3,589 questions
3,278 answers
8,303 comments
548,130 users