Use this PowerShell script and Azure logic app to get the Entra ID Group membership of a user.

Back in the day it would be easy to request the user’s group memberships with whoami /groups and you’re all set. This changed with Entra ID. I’ve created this solution to execute certain code based on the user’s group membership. It uses a logic app to read the group membership.

This is a low-cost solution, even if you execute it on all computers for all users every sign in. 1000 users would costs +- $50 per Month.

Prepare Azure resources

Start with creating a logic app and assign it a “System Assigned ID” as shown below in the screenshot.

In the Azure Active Directory portal, assign the system managed ID User and Group Reader rights (or Global Reader).

Configure Logic App

You’ve already created the logic app, and assigned it rights on the table and Azure AD. We will continue with designing the flows.

Start the logic app with an HTPP trigger, which we will use in the PowerShell script to requests the data needed to map the folders. You will need to copy this URL in the PowerShell script.

Schema:
{
    "properties": {
        "upn": {
            "type": "string"
        }
    },
    "type": "object"
}

With the UPN received from the PS script, we will now request Azure AD with detailed information we need to request the group membership. The green window indicates it’s an HTPP Request.

Purple windows are parse json actions. With this action we grab the ID of the user only, as we don’t need the other information:

Schema:
{
    "properties": {
        "@@odata.context": {
            "type": "string"
        },
        "id": {
            "type": "string"
        }
    },
    "type": "object"
}

Next we grab the user’s groups, the purple id is a dynamic value from the parse user action.

Parse this information as well:

{
    "properties": {
        "@@odata.context": {
            "type": "string"
        },
        "value": {
            "items": {
                "properties": {
                    "displayName": {
                        "type": "string"
                    }
                },
                "type": "object"
            },
            "type": "array"
        }
    },
    "type": "object"
}
Schema:
{
    "properties": {
        "odata.metadata": {
            "type": "string"
        },
        "value": {
            "items": {
                "properties": {
                    "PartitionKey": {
                        "type": "string"
                    },
                    "RowKey": {
                        "type": "string"
                    },
                    "Timestamp": {
                        "type": "string"
                    },
                    "URL": {
                        "type": "string"
                    },
                    "odata.etag": {
                        "type": "string"
                    }
                },
                "required": [
                    "odata.etag",
                    "PartitionKey",
                    "RowKey",
                    "Timestamp",
                    "URL"
                ],
                "type": "object"
            },
            "type": "array"
        }
    },
    "type": "object"
}

Your entire Logic App should now look like this:

The PowerShell Script

The scripts is fairly simple, as most of the logic is handled by the Logic App. Simply modify the URL in the script and it should return the json value with the group membership of the user, which is then serialized to an array.

You can run the script as a Device script that’s run in the user context, or modify it slightly to a Remediation profile.

#EntraID GroupMembership
#2023.06.12 prof-it.services

$upn = whoami /upn
#$upn = "[email protected]"

$uri = "ADDYOURLOGICAPPURLHERE"

$postBody = @{
    upn = $upn
} | ConvertTo-Json
$response = Invoke-WebRequest -Method POST -Uri $uri -UseBasicParsing -Body $postBody -ContentType "application/json"

$groups = $response.Content | ConvertTo-Json -AsArray

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *