Creating Azure AD Groups with Azure Guest user exclusions

As Azure Guest access becomes more and more prevalent in an Office 365 tenant, certain Managers and Administrators are looking for a way to have 'employee only' Groups. Enter Azure Active Directory dynamic groups - a feature of Azure AD Premium P1 and above.

You can create a dynamic group in the Azure Portal, specifically | Azure Active Directory | Groups | + New Group. Let's take a look:

When creating the group, simply ensure the 'Membership type' is set to 'Dynamic User', you can then add your dynamic query, for example this one specifically looks for users with a mail add that contains 'wave16.com' - handy if you want to put users into groups based on primary SMTP address.

To specifically include or exclude Azure Guest Users - we're looking for 'UserType' where we'll match it, or not match it, or a variety of other options, with 'Guest'.

Once the Group is created it will take a while before you'll see the results of your dynamic group - more on that later, but drilling back into the Group we can confirm the dynamic membership rules query. We have the option of a simple rule or an advanced one, advanced allows us to join a variety or rules together to fine tune our dynamic membership

Once the dynamic group has had time to be processed it will show the objects contained within based on the rules you have created

So can we use Powershell to create Dynamic Groups? The answer is yes using the AzureAD Powershell module.

Once you have succesfully connected you can view your groups using Get-AzureADMSGroup 

 We can specifically look for dynamic groups by looking for the 'GroupTypes' attribute

Get-AzureADMSGroup |select DisplayName, GroupTypes 

And we can also actually create them, I find Powershell far easier creating a dynamic group when wanting to match multiple rules.

In this Powershell example I am specifically creating a Sales Group and also ensuring no Azure Guest users will be hiding within it. There's a few more considerations to bear in mind here as ww have to include -MailEnable -MailNickname and -MembershipRuleProcessingState

New-AzureADMSGroup -DisplayName "Oliver Test Dynamic Group" -GroupTypes dynamicmembership -MembershipRule '(user.userType -notMatch "Guest" -and user.department -eq "Sales")' -MailEnabled $false -MailNickname $false -SecurityEnabled $true -MembershipRuleProcessingState On

-MembershipRuleProcessingState states whether it will start processing the group or whether you want to pause the processing of the rule for the time being. The options available are 'On' or 'Paused' - Paused makes sense if you're using Powershell to script the creation of your on-premises dynamic groups to Azure AD, you may have a lot and want to slowly control which ones start processing.

More on understanding your on-premises dynamic groups and how to create them in Azure AD in my next post.


Have fun!
@OliverMoazzezi

 

Getting Azure AD Guest Users with the Azure AD Preview PowerShell module

Azure Guest access is a great concept primarily wrapped in the Microsoft Teams, SharePoint and Onedrive experience, however reporting and keeping a lid on Azure Guest access accounts can be a daunting task. Luckily there's a few ways to poll Azure Guest accounts, with PowerShell providing the best experience so far.

Accessing https://portal.azure.com and selecting Azure Active Directory | All Users | and then selecting 'Show: Guest Users Only'  will give you a list of the current Azure AD Guest Users in your directory. Unfortunately however, the UI is very limited in being able to get more information than what is presently shown.

Luckily the new Azure AD PowerShell Preview module can provide better insight to guest users for your Directory and we can utilise the shell to create a report for administrative purposes.

Let's take a look; once you have the module installed, utilise Connect-AzureAD, the module supports modern authentication by default so if you're looking to pre-enter credentials utilise the -credential parameter and $Credential = Get-Credential for scripting purposes.

We can simply list all users with Get-AzureADUser

We can get more information on a user by utilising -ObjectID and utilising the Azure AD User objects ObjectID GUID. For example Get-AzureADUser -ObjectID "object guid" |FL

What we see here is the parameter UserType - this is how we can differenciate a normal user to a Guest.

With a simple where statement we can specify all Guest users.

Get-AzureADUser |where {$_.UserType -eq 'Guest'}

The 'CreationType' attribute will also list if the account was created from an invitation from a user.

With a fairly simply PowerShell one liner we can retrieve all Azure Guest Users and format their most appropriate attributes easily.

Get-AzureADUser |where {$_.UserType -eq 'Guest'} |Select DisplayName, UserPrincipalName, AccountEnabled, mail |FT

We can utilise https://portal.azure.com  | Azure Active Directory | Users | Audit Logs to see who has invited the external users and also when an external user accepted the invite. Just filter on the activity and specify 'Invite external user' and 'Redeem esxtgernal user invite'.

Selecting the audit log will show you more information including the time and date of the activities.

If I check Azure Active Directory | Users | Sign-ins I can see audit logs for user sign-in. I can specify user search terms to get more detailed information on an Azure Guest User accessing my Office 365 tenant. Note I can get immediate access to Sign-in Info, Device Info and whether they had to have any 2nd factor authentication or conditional access rules apply.

And whilst both the Audit Log and Sign-ins allow me to download reports, Sign-ins provides richer integration with Power BI once you've configured it (which i'll detail in a future blog post).

So, getting back to creating a nice list of Azure Guest Users, we can utilise the Azure AD Preview PowerShell module to get this data and wrap it up in an email to send to us as and when needed. I've written a script and uploaded it to the TechNet Gallery here.

You can use it to get a list of Azure Guest users in the session window

Or use the -email switch where you'll be able to use it as a scheduled task - be aware the password needs to be in the script, however a standard user will work as all they need is read access which they have by default.

Have fun!
@OliverMoazzezi