In today’s rapidly evolving IT ecosystem, effective role management is key. This is especially true for large organisations where managing roles for individual users can quickly become overwhelming. For businesses that leverage Microsoft Azure, there are robust tools at hand that can dramatically simplify and automate these intricate tasks. Among these tools, PowerShell in conjunction with Microsoft Graph stands out for its administrative efficiency.
In this blog post, we’re going to guide you through the process of crafting a PowerShell script that utilises Microsoft Graph to identify a specific Azure AD group and remove all roles assigned directly to all group members. Let’s get started!
Preparations
Before we dive in, there are a few prerequisites to note. Firstly, ensure that you have the Microsoft Graph PowerShell SDK installed. If not, use the Install-Module -Name Microsoft.Graph command in your PowerShell to add it.
Next, establish a connection to Microsoft Graph by using the Connect-MgGraph cmdlet.
Finally, remember to tread carefully when modifying user permissions. Scripts that implement bulk changes can be particularly powerful, but also potentially disruptive if not properly managed. It’s always wise to run tests with a small number of users before applying changes across an entire group.
The PowerShell script
# Define the group name
$groupName = ‘Your-Group-Name’
# Connect to Microsoft Graph
Connect-MgGraph
# Get the group
$group = Get-MgGroup -Filter “displayName eq ‘$groupName'”
# Get the members of the group
$groupMembers = Get-MgGroupMember -GroupId $group.Id
# Iterate through each member
foreach ($member in $groupMembers) {
# If the member is a User
if ($member[‘@odata.type’] -eq ‘#microsoft.graph.user’) {
# Get the roles assigned directly to the user
$userRoles = Get-MgUserMemberOf -UserId $member.Id | Where-Object {‘#microsoft.graph.directoryRole’ -contains $_[‘@odata.type’]}
# Iterate through each role
foreach ($role in $userRoles) {
# Remove the role from the user
Invoke-MgDeleteDirectoryRoleMember -DirectoryRoleId $role.Id -MemberId $member.Id -Confirm:$false
}
}
}
In this script, we begin by defining the name of your Azure AD group. Don’t forget to replace ‘Your-Group-Name’ with the actual name of your group.
We then establish a connection with Microsoft Graph, fetch the group and its members, and iterate through each member. For each user, we identify all directly assigned roles, and subsequently remove the user from each of these roles. This effectively unassigns all directly allocated roles from the user.
Closing thoughts
In this post, we’ve provided a practical guide to automating role management in Azure AD using a combination of PowerShell and Microsoft Graph. This straightforward and efficient approach can significantly ease your Azure AD administrative tasks. However, remember that it’s crucial to test your scripts within a controlled environment before rolling out large-scale changes.
Also bear in mind that cmdlets and APIs in the Microsoft Graph PowerShell SDK may evolve over time. If you encounter any issues, please refer to the latest official Microsoft Graph documentation or Microsoft PowerShell reference.
We always appreciate your feedback and questions. Please don’t hesitate to share your thoughts. Stay tuned for more Get Practical IT guides and tips!
Joao Paulo Costa
Get Practical 