How do I match groups from Exchange Online to Azure AD?

Stack Overflow Asked by Manuel K on September 21, 2020

I want to uniquely identify a group that is used in Exchange Online so that I can find the same group in Azure AD. The group has, in my case, permissions on a mailbox as returned by Get-MailboxPermission in PowerShell.

When using the Get-Group cmdlet from the ExchangePowerShell-Module I get a few identifying properties, but none of those are helpful in identifying the same group in Azure AD:

  • DisplayName (not unique and changeable)
  • SamAccountName (not available via Graph API or AzureAD PowerShell module)
  • Sid (specific to Exchange Online and not the same as in Azure AD)
  • WindowsEmailAddress (changeable, not required)
  • ExchangeObjectId (not available via Graph API or AzureAD PowerShell module)

In Azure AD I have a whole other set of identifying properties (e.g. Graph API):

  • ID (the ObjectID displayed in Azure AD, not available in Exchange Online)
  • DisplayName (not unique and changeable)
  • Mail (changeable, not required)
  • SecurityIdentifier (specific to Azure AD and not the same as in Exchange Online)

It seems my only option would be to use a combination of DisplayName and maybe WindowsEmailAddress/Mail which is horrible?

Is there any other way I could uniquely identify the groups to match them together?

My scenario is as follows:
I need to process all permissions of all mailboxes:

  1. I basically call Get-MailboxPermission for every mailbox.
  2. By expanding the property User I can get the Exchange-SID of the permitted user or group.
  3. I can then match this Exchange-SID to a user or group as returned by the Get-User or Get-Mailbox cmdlets.
  4. I can find the corresponding Azure AD user by matching the ExternalDirectoryObjectId as returned by Get-User.
  5. The group does not have the property ExternalDirectoryObjectId and no other uniquely identifying and unchangable property that can be found in Azure AD.

One Answer

Case 1 : Matching the Group ID From Graph API to Exchange Online Commandlets

Getting the list of the groups from the Graph and matching it with the group from the Exchange Online Commandlets.

The Id Obtained from the Graph API will match that of the Get-Group

The below is the snippet of the Graph response :

            "id": "c0749057-8163-4228-be88-1a0df3aab7b1",
            "deletedDateTime": null,
            "classification": null,
            "createdDateTime": "2020-09-08T11:21:53Z",
            "creationOptions": [],
            "description": "This is a new Group",
            "displayName": "NewGroup1",
            "expirationDateTime": null..............

If you get the Id : c0749057-8163-4228-be88-1a0df3aab7b1 & Run the below command, you will get the corresponding group :

Get-Group -Identity "c0749057-8163-4228-be88-1a0df3aab7b1" 

Output :

enter image description here

Case 2 : Matching the Group ID from the Exchange Online Commandlets to Graph Group ID


Only the unified groups will be visible in the Graph APIs (or) will have the ExternalDirectoryObjectId

So you could run

(Get-UnifiedGroup -Identity <Your Exchange Group ID>).ExternalDirectoryObjectId

This will return the Azure AD Object Id of the Group.

enter image description here


Correct answer by sathya_vijayakumar-MSFT on September 21, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP