ADEssentials icon indicating copy to clipboard operation
ADEssentials copied to clipboard
verified publisher icon EvotecIT

Request to translate AAD group names

Open neztach opened this issue 3 years ago • 1 comments

when running something like Show-WinADGroupMemberOf it works terrifically, but my request is, if the Group Name being returned is an AAD Group can it be written in to translate the 365 Group Writeback name to the DisplayName as it iterates through? (365 Group Writeback doesn't put human readable value in the Name attribute, but it does put it in the DisplayName attribute.)

I've written a proof of concept that allows me to do it by hand (even if inefficient) Reference for GUID translation here https://tech.nicolonsky.ch/validating-a-guid-with-powershell/

The thinking for my example was:

  1. Get the user's group membership,
  2. Get the groups returned DisplayName values,
  3. Check if the Group Name attribute matches (via regex) if the syntax for 365 Group Writeback syntax
  4. If it matches, return 'AAD - ' followed by the value in the Group DisplayName
  5. Else just return the group Name.

I'm sure you'll have a more efficient method, but this is my submission to improve your awesome script.

$GUIDRegex = '(?im)^[{(]?[0-9A-F]{8}[-]?(?:[0-9A-F]{4}[-]?){3}[0-9A-F]{12}[)}]?$'
$userGroups = Get-AdPrincipalGroupMembership -Identity '<username>'
ForEach ($group in $userGroups) {
    $AdGroup = Get-ADGroup -Identity $group -Properties DisplayName
    If (
        $AdGroup.Name -match 'Group_' -and 
        $AdGroup.Name.trimStart('Group_') -match $GUIDRegex
    ) {
        Write-Output -InputObject "AAD - $($AdGroup.DisplayName)"
    } Else {
        Write-Output -InputObject $AdGroup.Name
    }
}

From the resource I referenced he wrote a Function to assist:

Function Test-Guid {
    <#
        .SYNOPSIS
        Validates a given input string and checks string is a valid GUID
        .DESCRIPTION
        Validates a given input string and checks string is a valid GUID by using the .NET method Guid.TryParse
        .EXAMPLE
        Test-Guid -InputObject "3363e9e1-00d8-45a1-9c0c-b93ee03f8c13"
        .NOTES
        Uses .NET method [guid]::TryParse()
    #>
    [Cmdletbinding()]
    [OutputType([bool])]
    Param (
        [Parameter(Mandatory,Position=0,ValueFromPipelineByPropertyName=$true)]
        [AllowEmptyString()]
	[string]$InputObject
    )
    Process{
        return [guid]::TryParse($InputObject, $([ref][guid]::Empty))
    }
}

neztach avatar Aug 05 '22 16:08 neztach

Isn't newest Azure AD Connect doing that now? https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/use-cloud-groups-in-on-premises-active-directory-with-group/ba-p/3118023

New group writeback features

  • You can now also configure writing Azure AD Security Groups back to on-premises Active Directory as a universal Security Group using PowerShell, MS Graph, or the Microsoft Entra admin center.
  • When configuring group writeback in Azure AD Connect, you have the option to swap the common name of the on-prem distinguished name to be the cloud group’s display name, making it easier to identify what groups are being written back from Azure AD.
  • You can manage what groups you’d like to write back to Active Directory using MS Graph Explorer and the Microsoft Entra admin center.

PrzemyslawKlys avatar Aug 05 '22 16:08 PrzemyslawKlys