Table of Contents
Why would we put groups in groups?
Groups in groups is used by enterprise companies that have main groups for, for example, Group based Licensing in AzureAD. And there are many more examples to mention.
The disadvantage of groups in groups is that at a certain point you no longer know whether someone is in the group or not and therefore gets the license that is required.
‘Yo dawg, I heard you like groups, so I put groups in your groups, so you can search for users, while you’re searching for users.’Xzibit – ‘Pimp My Ride’
I created a PowerShell script to get your nested group members.
I’m sure there will be an option in the Azure portal for this, but until then I’ve made a PowerShell script.
All you need for this is the AzureAD module.
I no longer host scripts on my own blog.
You can download the script from Github.
Let’s go through Get-AzureADNestedGroupMembers.ps1.
I made two parameters in the script, this is Groups and ObjectType.
Both of them are mandatory.
This parameter is clear. Here you enter the Group.
You use the group’s DisplayName.
The script will then automatically look up the ObjectId.
You can add multiple Groups, as long as it is the DisplayName.
$Grp = Get-AzureADGroup -Filter "DisplayName eq '$Group'" -ErrorAction Stop Members = Get-AzureADGroupMember -ObjectId $Grp.ObjectId -ErrorAction Stop
This parameter is a ValidateSet that’s pretty clear. There There are 3 different ObjectTypes:
These are the once I found (I didn’t search only ran script). You can use the ValidateSet to search for specific items.
Below I will give you a few examples what you can do with it. Make sure you downloaded the script before you continue.
You can use the standard
Get-AzureADNestedGroupMembers -Groups 'GROUPNAME' -ObjectType Users
Get-AzureADNestedGroupMembers -Groups 'GROUPNAME' -ObjectType Devices
Get-AzureADNestedGroupMembers -Groups 'GROUPNAME' -ObjectType Groups
If there is output, you’ll receive the correct ObjectType information. If there is no output nothing will be returned.