How to get AzureAD Group Members nested groups in PowerShell

Why would we put groups in groups?

Groups in groups is used by enterprise companies that have main groups for, for example, Group based Licensing in AzureAD. And there are many more examples to mention.
The disadvantage of groups in groups is that at a certain point you no longer know whether someone is in the group or not and therefore gets the license that is required.

‘Yo dawg, I heard you like groups, so I put groups in your groups, so you can search for users, while you’re searching for users.’

Xzibit – ‘Pimp My Ride’

I created a PowerShell script to get your nested group members.

I’m sure there will be an option in the Azure portal for this, but until then I’ve made a PowerShell script.
All you need for this is the AzureAD module.

The script

I no longer host scripts on my own blog.
You can download the script from Github.

Let’s go through Get-AzureADNestedGroupMembers.ps1.

I made two parameters in the script, this is Groups and ObjectType.
Both of them are mandatory.

Groups

This parameter is clear. Here you enter the Group.
You use the group’s DisplayName.
The script will then automatically look up the ObjectId.

You can add multiple Groups, as long as it is the DisplayName.

$Grp = Get-AzureADGroup -Filter "DisplayName eq '$Group'" -ErrorAction Stop
$Members = Get-AzureADGroupMember -ObjectId $Grp.ObjectId -ErrorAction Stop

ObjectType

This parameter is a ValidateSet that’s pretty clear. There are 3 different ObjectTypes:

  • Users
  • Devices
  • Groups

These are the once I found (I didn’t search only ran script). You can use the ValidateSet to search for specific items.

Below I will give you a few examples what you can do with it. Make sure you downloaded the script before you continue.

Get-AzureADNestedGroupMembers.ps1 examples

You can use the standard

Example 1

Get-AzureADNestedGroupMembers -Groups 'GROUPNAME' -ObjectType Users

Example 2

Get-AzureADNestedGroupMembers -Groups 'GROUPNAME' -ObjectType Devices

Example 3

Get-AzureADNestedGroupMembers -Groups 'GROUPNAME' -ObjectType Groups

If there is output, you’ll receive the correct ObjectType information. If there is no output nothing will be returned.

Published by

Bas Wijdenes

My name is Bas Wijdenes and I work as a PowerShell DevOps Engineer. In my spare time I write about interesting stuff that I encounter during my work.

3 thoughts on “How to get AzureAD Group Members nested groups in PowerShell”

  2. Wonderful function, this was so valuable for breaking down nested groups and assigning them to Enterprise Applications (because assignments don’t apply to nested groups).

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *