How do I match groups from Exchange Online to Azure AD?
Stack Overflow Asked by Manuel K on September 21, 2020
I want to uniquely identify a group that is used in Exchange Online so that I can find the same group in Azure AD. The group has, in my case, permissions on a mailbox as returned by Get-MailboxPermission in PowerShell.
When using the Get-Group cmdlet from the ExchangePowerShell-Module I get a few identifying properties, but none of those are helpful in identifying the same group in Azure AD:
- DisplayName (not unique and changeable)
- SamAccountName (not available via Graph API or AzureAD PowerShell module)
- Sid (specific to Exchange Online and not the same as in Azure AD)
- WindowsEmailAddress (changeable, not required)
- ExchangeObjectId (not available via Graph API or AzureAD PowerShell module)
In Azure AD I have a whole other set of identifying properties (e.g. Graph API):
- ID (the ObjectID displayed in Azure AD, not available in Exchange Online)
- DisplayName (not unique and changeable)
- Mail (changeable, not required)
- SecurityIdentifier (specific to Azure AD and not the same as in Exchange Online)
It seems my only option would be to use a combination of DisplayName and maybe WindowsEmailAddress/Mail which is horrible?
Is there any other way I could uniquely identify the groups to match them together?
UPDATE:
My scenario is as follows:
I need to process all permissions of all mailboxes:
- I basically call
Get-MailboxPermissionfor every mailbox. - By expanding the property User I can get the Exchange-SID of the permitted user or group.
- I can then match this Exchange-SID to a user or group as returned by the
Get-UserorGet-Mailboxcmdlets. - I can find the corresponding Azure AD user by matching the
ExternalDirectoryObjectIdas returned byGet-User. - The group does not have the property
ExternalDirectoryObjectIdand no other uniquely identifying and unchangable property that can be found in Azure AD.
One Answer
Case 1 : Matching the Group ID From Graph API to Exchange Online Commandlets
Getting the list of the groups from the Graph and matching it with the group from the Exchange Online Commandlets.
The Id Obtained from the Graph API will match that of the Get-Group
The below is the snippet of the Graph response :
{
"id": "c0749057-8163-4228-be88-1a0df3aab7b1",
"deletedDateTime": null,
"classification": null,
"createdDateTime": "2020-09-08T11:21:53Z",
"creationOptions": [],
"description": "This is a new Group",
"displayName": "NewGroup1",
"expirationDateTime": null..............
If you get the Id : c0749057-8163-4228-be88-1a0df3aab7b1 & Run the below command, you will get the corresponding group :
Get-Group -Identity "c0749057-8163-4228-be88-1a0df3aab7b1"
Output :
Case 2 : Matching the Group ID from the Exchange Online Commandlets to Graph Group ID
(UPDATE)
Only the unified groups will be visible in the Graph APIs (or) will have the ExternalDirectoryObjectId
So you could run
(Get-UnifiedGroup -Identity <Your Exchange Group ID>).ExternalDirectoryObjectId
This will return the Azure AD Object Id of the Group.
HTH !
Correct answer by sathya_vijayakumar-MSFT on September 21, 2020
Add your own answers!
Ask a Question
Get help from others!
Recent Answers
- Jon Church on Why fry rice before boiling?
- Peter Machado on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
- Joshua Engel on Why fry rice before boiling?
- haakon.io on Why fry rice before boiling?
Recent Questions
- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?