Giving/Removing List of Users Access to List of Groups

Welcome Forums General PowerShell Q&A Giving/Removing List of Users Access to List of Groups

Viewing 3 reply threads
  • Author
    Posts
    • #227521
      Participant
      Topics: 1
      Replies: 1
      Points: 13
      Rank: Member

      Hello all! Good day – forgive me ahead of time for I am a total n00b when it comes to Powershell. Essentially, what I am trying to do is take a list of groups (whether that be imported via CSV or through some sort of Get statement) and add or remove a list of Users via the same methods. Theoretically to me it seems as though it should be simple enough. I am using the Remove-AzureADGroupMember in my example. I’ve tried various methods centered around Foreach but I consistently receive errors such as: “Cannot convert ‘System.Object[]’ to the type ‘System.String'”

      Here is an example of something simple I’d try (each CSV has a column with a name and a column with Object ID):

      $UserList = Import-Csv -path "C:\temp\users.csv"
      $groupList = Import-Csv -path "C:\temp\groups.csv"
      
      Foreach ($user in $UserList) {
      $userObject = $UserList.ObjectID
      Foreach ($group in $groupList) {
      $groupObject = $groupList.ObjectID
      }
      Remove-AzureADGroupMember -ObjectId $groupObject -MemberId $userObject
      }
    • #227524
      Participant
      Topics: 30
      Replies: 74
      Points: 400
      Rank: Contributor

      hi
      for removing all groups assigned to a given user I use this
      my csv file contains 2 colums one with samaccountName and the other with email.

      
      Connect-AzureAD
      #read file with users (email address)
      $users = import-csv c:\temp\csv\toRemove.csv
      $ErrorLog = “c:\temp\groupdeletionErrors.txt”
      
      foreach ($user in $users) {
      #check if the user is disabled
      
      $accountEnabled = Get-AzureADUser -ObjectId $user.Email
      if(!($accountEnabled.AccountEnabled)) {
      
      #get the users objectID from Azure
      $UserObjectID =get-AzureAdUser -objectId $user.Email |select objectID
      
      #grab the clean objectID from the user
      $SelectUserObjectID= $userObjectID.objectID
      
      #find all the groups a user is member off
      $UserObjectIDGroupMemberShip = get-AzureAdUserMembership -objectID $SelectUserObjectID
      $a= $userObjectIDGroupMemberShip.count
      $Groupsremoved = 0
      $ErrorGroup = 0
      
      foreach ($group in $UserObjectIDGroupMemberShip) {
      
      #remove the user from each indivudual group
      try {
      
      Remove-AzureADGroupMember -ObjectId $group.objectID -MemberId $SelectUserObjectID
      $Groupsremoved++
      
      }
      catch {
      #the groups that cannot be removed are safed in the error log
      
      “Error removing $group : $($_)” |Add-content $ErrorLog
      #write-host “$errorcount groups could not be removed from $($user.samaccountname)”
      $Errorgroup++
      
      }
      finally {
      #output on screen
      
      }
      }
      write-host “#####################################################################”
      write-host “result for $($user.Email)”
      write-host “Total groups Found: $a”
      Write-host “Total groups Removed: $Groupsremoved”
      Write-host “Total groups not removed: $Errorgroup”
      write-host “#####################################################################”
      }
      Else {
      write-host “$($user.Email) cannot be removed at this time”
      }
      
      }
      

       

      • This reply was modified 2 weeks, 6 days ago by acer460527.
    • #227551
      Participant
      Topics: 12
      Replies: 1622
      Points: 2,560
      Helping Hand
      Rank: Community Hero

      Here is the issues with your code:

      $UserList = Import-Csv -path "C:\temp\users.csv"
      $groupList = Import-Csv -path "C:\temp\groups.csv"
      
      Foreach ($user in $UserList) {
          
          #You are in a loop, $user is the item and
          #$UserList is the entire list and you are referencing $UserList.ObjectId
          $userObject = $UserList.ObjectID
          Foreach ($group in $groupList) {
              #Same here, you are in a loop, $group is the item and
              #$GroupList is the entire list and you are referencing $GroupList.ObjectId
              $groupObject = $groupList.ObjectID
          }
          #This is located in the user loop, not the group loop, so you would always process the last
          #group member of the group because you loop through everything and the last item is set as $groupObject
          Remove-AzureADGroupMember -ObjectId $groupObject -MemberId $userObject
      }
      

      The error is you are providing an object, not a string. This is due to an implicit loop when you do object.property

      PS C:\Users\rasim> $svc = Get-Service | Select -First 5
      
      #This is an implicit loop, $svc is an object and Name is the property
      PS C:\Users\rasim> $temp = $svc.Name
      
      #Here you can see that all 5 names are in $temp, making it an array, specifically a string array object:
      PS C:\Users\rasim> 
      $temp.Count
      5
      

      Here is corrected code so you can compare to the original:

      $UserList = Import-Csv -path "C:\temp\users.csv"
      $groupList = Import-Csv -path "C:\temp\groups.csv"
      
      Foreach ($user in $UserList) {
          $userObject = $User.ObjectID
          Foreach ($group in $groupList) {
              $groupObject = $group.ObjectID
          
              Remove-AzureADGroupMember -ObjectId $groupObject -MemberId $userObject
      
          }
      }
      
    • #227581
      Participant
      Topics: 1
      Replies: 1
      Points: 13
      Rank: Member

      Thank you both so much – two very helpful and unique responses! Acer I hadn’t even thought of using get-AzureAdUserMembership so that’s a really cool method. And Rob, your reply was exactly what I was looking for – someone to critique what I had done. It was nice to see that I was not too far off from what actually needed to be done!

Viewing 3 reply threads
  • You must be logged in to reply to this topic.