Azure - How to find user principal name not a member of particular group (which contain "AVD" in its name)

asKMe
June 16, 2022
258 views
0 votes
2 Answers

From Azure AD, Are there any ways to find users who does not have a speciifc group assigned ( the name contain %AVD% in it) ?

This is what I have tried:

  https://graph.microsoft.com/beta/users?$expand=memberOf
  https://graph.microsoft.com/v1.0/users/groups?$search="AVD"
   https://graph.microsoft.com/v1.0/users?$select=memberOf eq '%AVD%'

unable to get expected result. That is user principle name not a member of perticuler group which contain "AVD" in its name.
Thanks.

Answers

- Rukmini
- June 16, 2022 at 6:27 am
- 0 votes
0
To find users who does not have a specific group assigned, please try the below PowerShell script by Marilee Turscak-MSFT:
```
$groupids = @("Group_Id1", "Group_Id2")  
$userht = @{}  
Get-AzureADUser -SearchString 'AVD' | foreach-object {$userht.Add($_.ObjectId,$_)}   
ForEach($id in $groupids){  
Get-AzureADGroupMember -all $true -ObjectId $id | foreach-object { $userht.Remove($_.ObjectId) } 
}
```
I tried to reproduce the same in my environment like below:

Initially, I executed below command to get the users with Jo in their names.
```
Get-AzureADUser -SearchString 'Jo'
```
The user ObjectId "afcfad54xxxxxxxxxxx" is a member of one group like below:

After executing the PowerShell script, the ObjectId with "f1e72629xxxxxxxxxxx" returned as it is not a member of any specified groups:
Login or Signup to reply.

Firstly, Odata eq doesn’t support % to execute fuzzy query, and displayName property not support contains function, so there’s actually no solution for graph api to return your idea result.

Per my test, I think this request should work but it didn’t execute the filter actually.

https://graph.microsoft.com/v1.0/users?$expand=memberOf($select=displayName;$filter=displayName eq 'xxx';)&$select=displayName,id,memberOf

So I’m afraid you have to execute the api first and then do the filter by your code. And I wrote a sample like this:

using Microsoft.Graph;
using Azure.Identity;

var scopes = new[] { "https://graph.microsoft.com/.default" };
var tenantId = "your_tenant_name.onmicrosoft.com";
var clientId = "azure_ad_client_id";
var clientSecret = "client_secret";
var clientSecretCredential = new ClientSecretCredential(
    tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
//$filter=displayName eq 'xxx' doesn't work
var a = await graphClient.Users.Request().Expand("memberOf($select=displayName;$filter=displayName eq 'xxx')").Select("displayName,id,memberOf").GetAsync();
List<User> users = a.ToList();
List<User> res = new List<User>();
foreach (User user in users)
{
    List<DirectoryObject> memberOf = user.MemberOf.ToList();
    foreach (DirectoryObject obj in memberOf) {
        if (obj.ODataType == "#microsoft.graph.group") {
            Group temp = (Group)obj;
            if (temp.DisplayName.Contains("Admin")) {
                res.Add(user);
                continue;
            }
        }
    }
}

Please signup or login to give your own answer.

Click here to cancel reply.

Azure – How to find user principal name not a member of particular group (which contain "AVD" in its name)

Answers