Track Azure AD Group Changes with Powershell and Graph API

Posted byahmeduzejnovicPosted inAllgemein

In this post i will explain how to deal with group changes in Azure AD to get delta changes with Powershell and Graph API.

  • Azure App Registration
  • Request the token
  • Get AAD Groups from Graph API
  • Pagination
  • Get Delta chagnes for AAD Groups

Azure App Registration

Register an App in Azure App Registration with the permissions listed below
Microsoft Documentation App Registration

Permissions Application

GroupMember.Read.All,
Group.Read.All,
Directory.Read.All,
Group.ReadWrite.All,
Directory.ReadWrite.All

Save the Client ID and the Secret. We will use it to request the token.

Request the token

Now we need to make sure we have access to the Groups Endpoint in Azure AD .
For this we have to generate a token to get access to the endpoint.

$clientId = "AzureAP_Client_ID"  
$clientSecret = "AzureAP_Secret"  
$tenantName = "someonestenant.onmicrosoft.com"  
$resource = "https://graph.microsoft.com/"  

$tokenBody = @{

    Grant_Type    = 'client_credentials'  
    Scope         = 'https://graph.microsoft.com/.default'  
    Client_Id     = $clientId  
    Client_Secret = $clientSecret
      
}  

$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token" -Method POST -Body $tokenBody -ErrorAction Stop

The variable $tokenResponse should look like this.

Get Azure AAD Groups with Graph API

To begin we will sent a Graph API Request to get all Groups from Azure AD
The First Step is to build a header with the generated token in the previous step. 

$headers = @{

    "Authorization" = "Bearer $($tokenResponse.access_token)"
    "Content-Type"  = "application/json"
}

As second step we need the URL to address the Endpoint.

$URL = "https://graph.microsoft.com/beta/groups/"

Now we have all parts to address the Endpooint
We will do this with Invoke RestMethod

(Invoke-RestMethod -Headers $headers -Uri $URL -Method GET).Value

As response we will get some Azure AD Groups and their Properties but not all Groups.
If you have a test Tenant with 50 or lesser Groups you will get all groups. But if you have more then 100 Groups in your tenant you will get only 100 Groups from your request.

Pagination

To get all groups we have to use the pagination link below and loop threw it until there is no link anymore.

(Invoke-RestMethod -Headers $headers -Uri $URL -Method GET).'@odata.nextLink'
$allgroups = @()
$URL = "https://graph.microsoft.com/beta/groups/"
$groups = Invoke-RestMethod -Headers $headers -Uri $URL -Method GET
$allgroups += $groups.value
$groupsnextlink = (Invoke-RestMethod -Headers $headers -Uri $URL -Method GET).'@odata.nextLink'
    
    while($groupsnextlink -ne $null)
{
$allgroups += (Invoke-RestMethod -Headers $headers -Uri $groupsnextlink -Method GET).value
$groupsnextlink = (Invoke-RestMethod -Headers $headers -Uri $groupsnextlink -Method GET).'@odata.nextLink'
}

Get Delta changes for AAD Groups

Microsoft Documentaion

Now the cool stuff begins. How we can track groupchanges in Azure AD ?
We will use the Delta endpoint where the chagnes are saved.

$URL = "https://graph.microsoft.com/beta/groups/delta"

The first thing we need is the delta link to address the groups/delta endpoint
Now we have the same pagination expirence like above.
We will loop threw all links until we get the link for the delta endpoint where the changes are stored. 

$URL = "https://graph.microsoft.com/beta/groups/delta"
$Response = Invoke-RestMethod -Headers $headers -Uri $URL -Method GET
    
while($Response.'@odata.deltaLink' -eq $null)
{
$Response = Invoke-RestMethod -Headers $headers -Uri $Response.'@odata.nextLink' -Method GET
}
$Deltalink = $Response.'@odata.deltaLink'

The Endpoint will return all Groups with changes from the time the delta link is created.

But what when i want to track changes only for group membership or some orther arrtibutes ?

Here is an example of the URL where only group changes for displayName,description and mailNickname will be returned.
It returns only the the requested attributes. We don’t know which one of the attributes changed ! Use this query only with one attribute to make sure that this attribute has changed. 

$URL = "https://graph.microsoft.com/v1.0/groups/delta?`$select=displayName,description,mailNickname"

Now Track Group Membership changes.
We will only get a Response if a Member is removed or added to a group

$URL = "https://graph.microsoft.com/v1.0/groups/delta?`$select=members"

As response we get the Group ID and the Member ID.

User removed from Group
User added to Group

If a User is added, the change is listed without any comment at the member@delta list.


Thank you for reading ! 
If you have any questions please contact me !

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: