Get-AzureADGroup: PowerShell Group Reporting Filter Examples. Do you need help using the Get-AzureADGroup PowerShell command-let to report on Azure AD groups? This article teaches you all you need to know about this AzureAD cmdlet with examples.
We start with a quick overview of the cmdlet. The overview section also discusses the syntaxes and parameters of the cmdlet.
After that, you learn how to install the AzureAD module, which includes the Get-AzureADGroup cmdlet. The article ends by discussing multiple examples and applications of reporting Azure AD groups with this PowerShell command.
Get-AzureADGroup: Overview, Syntax, and Parameters
The Get-AzureADGroup is part of the AzureAD module. So, if you need to run this command from your computer, you must install and import the module.
After installing the module, before running any command, including the Get-AzureADGroup command, you must first run the Connect-AzureAD Powershell command. This command authenticates to your Azure AD tenant.
Alternatively, if you want to avoid installing the module, you run the command from Azure Cloud Shell – a browser based command line interface that supports PowerShell and Azure CLI (Bash) commands.
Let’s examine the syntax of the Get-AzureADGroup command. This command Gets an Azure AD group (via AzureAD Graph).
Here is the first syntax:
Get-AzureADGroup
-All (Boolean)
-Top (Int32)
-Filter (String)
(CommonParameters)
The All parameter takes a boolean value of $true or $false (all:$true or all:$false). If this $true is specified, the command returns all groups in the Azure AD tenant.
However, $false returns the number of objects specified in the Top parameter. So this means that you use the Top parameter to determine how many groups are returned.
Another parameter in the first syntax is Filter – use this to create a filter statement that determines which objects are returned. We explore how to use these parameters in our example section.
Moving on, the second syntax of the Get-AzureADGroup command is shown below:
Get-AzureADGroup
-SearchString (String)
-All (Boolean)
(CommonParameters)
This syntax also uses the All parameter but includes one more parameter – SearchString. The All parameter works the same way as in the first syntax discussed earlier.
On the other hand, use the SearchString parameter to specify a search string, which affects the groups returned by the command.
Finally, we have the third syntax shown below:
Get-AzureADGroup
-ObjectId (String)
-All (Boolean)
(CommonParameters)
The third syntax also includes the All parameter and a new parameter – ObjectId. The ObjectId parameter is used to specify the Id of the group you want to return.
Install the AzureAD Module and Connect to Azure Tenant
Step 1: Install the AzureAD Module
This step is optional. To run the commands in the example section from Azure Cloud Shell, skip this section and jump to the examples section.
However, to install the AzureAD module and run the commands from your PC, follow the steps below:
1. Open PowerShell as administrator by searching “PowerShell” and clicking “Run as Administrator.” Allow the app to make changes to your device – click Yes.
2. When PowerShell opens, modify the execution policy to allow signed downloaded scripts to run on your computer by running this command:
powershell.exe -ExecutionPolicy RemoteSigned
3. After that, confirm that the AzureAD module is NOT installed on your computer by running the Import-Module command.
The command returns an error message if the module is not installed on your PC. Otherwise, it runs successfully.
Import-Module AzureAD
4. If the previous command returned an error message, install the module using this command.
Install-Module -Name AzureAD -AllowClobber
5. After installing the module, import it to your current PowerShell session by re-running the Import-Module command.
Import-Module AzureAD
6. Finally, confirm that the AzureAD module is available on your PC using the Get-Module command.
Get-Module AzureAD
Step 2: Connect to Azure Active Directory with Connect-AzureAD
1. Once you’ve successfully installed the module, run the Connect-AzureAD command to authenticate to your Azure AD tenant. Change username@domainname.com to your Azure sign-in email address.
Connect-AzureAD -Credential (Get-Credential username@domainname.com)
When you execute the Connect-AzureAD command, PowerShell requires you to enter the password for the Azure login email address. Enter the password and click OK.
2. After providing the password and clicking OK, PowerShell connects to Azure and displays information about the tenant.
If you reached this point successfully, you’re ready to run the Get-AzureADGroup command from your PC. Proceed to the next section for examples,
Get-AzureADGroup: Filter Examples For PowerShell Group Reporting
I am running all commands in these examples from the Azure Cloud Shell and from my computer. To open Azure Cloud Shell, open shell.azure.com, and sign in with your Azure account.
Once the Cloud Shell loads, make sure that you select PowerShell.
Example 1: Return All Azure AD Groups
If you recollect, in the syntax section, we explained that the All parameter is used to return all Azure AD groups. Run the command below to return all Azure AD groups.
Get-AzureADGroup -All:$true
The screenshot below shows the command in PowerShell on my PC. Similarly, the second screenshot shows the command in Azure Cloud Shell.
Before running this command in Cloud Shell, remember to run the Connect-AzureAD command first. The remaining examples in this section follow this pattern – the first screenshot is for commands from my PC, while the second is from the Azure Cloud Shell.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Example 2: Return a Single Azure AD Group with the ObjectId Parameter
In the first example, the command displayed the ObjectID (first column) of the Azure AD groups. To return the first group, I run the Get-AzureADGroup command by specifying the ObjectID parameter – see the sample command below.
Get-AzureADGroup -ObjectId 29f836a1-260f-4f25-9338-9c32a7370480
Example 3: Return x Azure AD Groups with the All and Top Parameters of Get-AzureADGroup
In the first example, we used the All:$true parameter to return ALL Azure AD groups. The command below uses the All:$false parameter to stop the Get-AzureADGroup command returning ALL groups. Additionally, we included the Top parameter to return just 3 groups.
Get-AzureADGroup -All:$false -Top:3
Example 4: Get-AzureADGroup Filter and SearchString Parameters
The command below uses the Filter parameter to return groups that meet the filtering criteria. The command returns all groups that include “InfraSOS” in the DisplayName.
Get-AzureADGroup -Filter "startswith(DisplayName, 'InfraSOS')"
Here are the screenshots in PowerShell and Azure Cloud Shell.
Here is the same command using the SearchString parameter. The screenshot after the command displays the result from this and the previous command in PowerShell.
Get-AzureADGroup -Filter "startswith(DisplayName, 'InfraSOS')"
Example 5: Get Members of an Azure AD Group
So far, we’ve been running commands that return Azure AD groups. But what if you want to return members of a group?
This command returns the members of the Azure AD group with the Id specified in the ObjectID parameter.
Get-AzureADGroup -ObjectId bcbd0003-6418-45df-8c57-9ef69bc290d9 | Get-AzureADGroupMember -All $True
Example 6: Report Members of Multiple Azure AD Groups
In example 5, we explored listing the members of an Azure AD group by pipping Get-AzureADGroup to Get-AzureADGroupMember. Beyond a single group, we modify the command to return the members of multiple groups.
To achieve this, we save the output of Get-AzureADGroup to a variable. Then, use that variable in a ForEach loop.
Within the ForEach loop, we use the Get-AzureADGroupMember command to return all members of each group.
To return a single report that includes all group members, the whole command is saved in a variable. See the sample command below.
The script modified the the command from example 3.
Connect-AzureAD -Credential (Get-Credential username@domainname.com) #remember to change username@domainname.com to your username
$azureadgroups = Get-AzureADGroup -Filter "startswith(DisplayName, 'InfraSOS')"
$azureadgroupmembers =
ForEach ($azureadgroup in $azureadgroups) {
Get-AzureADGroup -ObjectId $azureadgroup.ObjectId | Get-AzureADGroupMember -All $True
}
$azureadgroupmembers | Format-Table
The above script is not a one-liner, so I run it in PowerShell ISE instead of PowerShell. However, I must run the Connect-AzureAD command in PowerShell ISE before running the above script.
The command returns the group membership of the 2 Azure AD groups returned by the Get-AzureADGroup command.
As shown in the screenshot, our script returned the default columns from the Get-AzureADGroupMember command. However, for reporting purposes, we may not require some of the columns.
To return the properties (columns), we require, we include the properties we need in the Format-Table command. See the modified script below.
Connect-AzureAD -Credential (Get-Credential username@domainname.com) #remember to change username@domainname.com to your username
$azureadgroups = Get-AzureADGroup -Filter "startswith(DisplayName, 'InfraSOS')"
$azureadgroupmembers =
ForEach ($azureadgroup in $azureadgroups) {
Get-AzureADGroup -ObjectId $azureadgroup.ObjectId | Get-AzureADGroupMember -All $True
}
$azureadgroupmembers | Format-Table DisplayName, UserPrincipalName
The result is a finer report displaying the included columns – DisplayName, and UserPrincipalName.
Another way to script this is to pipe the output of Get-AzureADGroupMember to a Select-Object command and include the properties to return in Select-Object.
Here is the modified script using Select-Object.
Connect-AzureAD -Credential (Get-Credential username@domainname.com) #remember to change username@domainname.com to your username
$azureadgroups = Get-AzureADGroup -Filter "startswith(DisplayName, 'InfraSOS')"
$azureadgroupmembers =
ForEach ($azureadgroup in $azureadgroups) {
Get-AzureADGroup -ObjectId $azureadgroup.ObjectId | Get-AzureADGroupMember -All $True | Select-Object DisplayName, UserPrincipalName
}
$azureadgroupmembers | Format-Table
I have highlighted the updated part of the script in the screenshot below.
Example 7: Export Members of Azure AD Group to CSV
If you want to export the output of the last command to a CSV file, modify the script as shown below.
Connect-AzureAD -Credential (Get-Credential username@domainname.com) #remember to change username@domainname.com to your username
$azureadgroups = Get-AzureADGroup -Filter "startswith(DisplayName, 'InfraSOS')"
$azureadgroupmembers =
ForEach ($azureadgroup in $azureadgroups) {
Get-AzureADGroup -ObjectId $azureadgroup.ObjectId | Get-AzureADGroupMember -All $True | Select-Object DisplayName, UserPrincipalName
}
$azureadgroupmembers | Export-Csv D:\report\AzureADGroupMembers.CSV -NoTypeInformation
The screenshot below shows the report in the exported CSV file.
Get-AzureADGroup: PowerShell Group Reporting Filter Examples Conclusion
The Get-AzureADGroup cmdlet is essential for reporting on Azure AD groups. It has three syntaxes that show how to use its parameters in a command.
The three syntaxes include the All parameter. What differentiates them is the Top and Filter parameters in the first syntax, SearchString in the second, and ObjectId in the third.
In this article, we mentioned that the Get-AzureADGroup cmdlet is part of the AzureAD module. So, the module must be installed if you want to run the command from your PC.
However, as shown several times in our examples, the command works in the Azure Cloud Shell without installing any modules.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
