Adaxes

Get-AdmPrincipalGroupMembership and Azure groups

0 votes

Hi

I'm trying to set up a process where when a user (on prem) is added to an Azure group, they are removed from some conflicting groups automatically.

When the script runs though, I get the following error

Get-AdmPrincipalGroupMembership : The given key was not present in the dictionary

Running the command in a standard powershell generates the same error and no Azure groups are listed in the results. Is there a way to get this to work?

Additionally, we have a number of child domains and the user can be in any of them.

The script as I have it is 

Import-Module Adaxes
$userDomain = "root.domain"

$memberDomain ="%member%".Split(",")[-3]
if ($memberDomain -match "DC=") {
    $userDomain = $memberDomain.Split("=")[1] + "." + $userDomain
}

$user = Get-AdmUser -Identity "%member%" -Server $userDomain -AdaxesService localhost
$groups = Get-AdmPrincipalGroupMembership -Identity $user -AdaxesService localhost

foreach ($group in $groups) {
    if ($group.Name -match "Group nameing convention") { Remove-AdmGroupMember -Identity $group -Members $user -Server "domain.onmicrosoft.com" -AdaxesService localhost }
}

Thanks

Matt

by (2.0k points)

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello Matt,

Unfortunately, this is a known issue in Adaxes. it will be fixed in the upcoming release. As a solution, you can use dedicated Adaxes methods and search instead of the cmdlets. The following article should be helpful: https://www.adaxes.com/sdk/SampleScripts.SearchingGroups.

0

Thanks for the quick reply.

by (2.0k points)
0

Hi

I thought that using native Azure powershell would be easier and cleaner to look at so I wrote the following 

Import-Module Adaxes
$userDomain = "domain.com"

$memberDomain ="%member%".Split(",")[-3]
if ($memberDomain -match "DC=") { $userDomain = $memberDomain.Split("=")[1] + "." + $userDomain }

$userUPN = (Get-AdmUser -Identity "%member%" -Server $userDomain -AdaxesService localhost -Properties UserPrincipalName).UserPrincipalName
$Context.LogMessage("$userUPN", "Information")

#Get Credentials and connect to AzureAD
$cred = $Context.GetOffice365Credential()
Import-Module AzureAD
Connect-AzureAD -Credential $cred

$myVar = Get-AzureADTenantDetail
$Context.LogMessage("$($myVar.DisplayName)", "Information")


$userId  = (Get-AzureADUser -SearchString $userUPN).ObjectId
$Context.LogMessage("$userId", "Information")

Get-AzureADUser -SearchString $userUPN | Get-AzureADUserMembership | ForEach-Object {
    $Context.LogMessage("$($_.DisplayName)", "Information")
    if ($_.DisplayName -match "Group naming convention") {
        $Context.LogMessage("Remove $($_.DisplayName)", "Information")
        Remove-AzureADGroupMember -ObjectId $_.objectid -MemberId $userId
    }
}

Disconnect-AzureAD

However, for some reason the users Azure ObjectId never seems to be returned. I'm running this in a business rule which acts before adding a user to the group, but the users UPN is returned. We are quite far behind with the AzureAD module, but the same commands work fine in native powershell. Also, the Get-AzureADTenantDetail command works fine, so I know that I'm connected to AzureAD.

by (2.0k points)
+1

Hello Matt,

If your Microsoft 365 tenant is registered in Adaxes with the credentials of an Azure app, the GetOffice365Credential method will not work. This behaviour is by design. Also, the method is not available in Adaxes 2023. Using the AzureAD module is also not a good idea as it will be deprecated soon. As such, you have two options:

by (289k points)
0

Hi

Thanks for the reply. We are currently still using the service account for connecting to Azure due to some restrictions with some of our other custom scripts which I am working through.

I find it strange as I know that we are connected to Azure because the tenant details are being returned to the log following these commands

$myVar = Get-AzureADTenantDetail
$Context.LogMessage("$($myVar.DisplayName)", "Information")

That said, I've managed to get Graph to work, thanks as always for your quick responses.

Matt

by (2.0k points)
0

Hello Matt,

A new version of Adaxes containing a fix for the issue is released. You can download it from here.

What’s New

Upgrade Instructions

by (289k points)

Related questions

0 votes
1 answer
As part of offboarding users I need to keep a note of all AD/Entra groups, Azure / M365 roles and licenses

As part of offboarding a user I need to generate a report of all AD groups, Entra groups and all Azure / M365 roles and licenses the user has before they ... about keeping a record of the leavers configured profile to simplify cloning them onto new starters.

asked Jun 24 by dhardyuk (20 points)
0 votes
1 answer
Get-AdmPrincipalGroupMembership doesn't work

Get-AdmPrincipalGroupMembership always throws an exception, even for users which absolutely exist (eg: piped ... :Commands:GetAdmPrincipalGroupMembershipCommand:ProcessRecord,Softerra.Adaxes.PowerShellModule.Commands.GetAdmPrincipalGroupMembershipCommand

asked May 4, 2023 by Viajaz (210 points)
0 votes
1 answer
Get-admPrincipalGroupMembership doesn't work

Hello, I'm trying to write a simple powershell script to check if a user is a member of one of two groups and output a true value if the user is a member of ... intended to be run as Adaxes scheduled tasks or can I use the default Powershell cmdlets instead?

asked Nov 4, 2015 by drew.tittle (810 points)
0 votes
1 answer
Get-AdmGroup for Azure Domain

Hi We're runing 2023 and have the Azure AD registered. I'm trying to use the Get-AdmGroup to find groups in the Azure domain, but it doesn't come back with any results, though I know the group exists. Is there a way to get the command to do this? Thanks Matt

asked Feb 8, 2023 by chappers77 (2.0k points)
0 votes
1 answer
Make Azure-native AAD security groups request-able within Adaxes console?

Is it possible to surface Azure native AAD security groups within the Adaxes console in order to allow users to add themselves?

asked Dec 6, 2022 by sirslimjim (480 points)
3,549 questions
3,240 answers
8,232 comments
547,814 users