Get Entra ID / Azure AD properties for a group ...

Question

Hello -

I'm looking for some guidance / clarity.

I'm running Adaxes 2023 (I know I need to update) and I have a very specific task I am trying to accomplish.

I am in hybrid-mode - so we have an on-premise AD that syncs to Entra ID (Azure AD).

My on-prem AD is managed and I have the M365 tenant configured under 'Cloud Services'.

I need to retrieve the Entra ID object ID for a subset of the groups in my domain.

I've been reading the online docs for hours now and I am a little lost.

If I understand correctly, it says I should be able to use the Adaxes powershell command 'get-AdmGroup' to retrieve the Entra ID object ID ... but I can't figure it out.

I've looked at the '-AdaxesService' command along with using my organization's '.onmicrosoft.com' domain name in the 'serverName' parameter, but I get an error saying that it is 'unavailable'.

I want to get the information in the easiest and most efficient manner ... and I thought it would be much easier with Adaxes.

I feel as if I am missing something here. Any and all help / direction is much appreciated (in advance).

Thanks.

Answer 1

Hello,

To obtain the identifier, you can use the below script in a custom command, business rule or scheduled task. Pay attention that it will only work on users included into the associated scope of your tenant in Adaxes.

try
{
    # Get the object ID in Microsoft 365.
    $objectId = [Guid]$Context.TargetObject.Get("adm-AzureId")
}
catch
{
    return
}

Comments

Thank you for the quick response.

I've tried what you suggested and am so far not being successful. I added a couple of Log statements and captured the error and this is what I am receiving.

I've obfuscated a lot, but I can verify that the group I am trying to get this information on is under the 'associated objects' of my tenant.

Can I please get some additional guidance or thoughts on this situation?

Thank you again.

---

Hello,

The behavior is expected as the property is empty for the object you run the script against. It can only be retrieved for users who are licensed for Microsoft 365 or groups that are mail-enabled in Exchange Online. Also, there were some changes introduced by Microsoft and only applied in Adaxes 2023 Update 2 (build number 3.15.23410). If you are using an older version, you need to upgrade to use the script.

Upgrade instructions

What's New 2023

---

Thank you again for the timely response.

So, for the record, I am running 3.16.21906.0 (but plan to update as soon as I can).

But ultimately what I am hearing is that the update won't fix my issue because I can confirm that the groups I am working with are not mail-enabled and are just Security Groups.

And I did try the code sample on a mail-enabled group and it functioned as expected and returned the Entra ID Object ID.

Thanks once again.

---

Hello,

Yes, your understanding is correct. The only option in this case is to actually register your Microsoft Entra domain in Adaxes and execute the script against the accounts in it.

---

For some reason registering my Entra ID domain in Adaxes was not something I had thought off - I assume it is because we are in Hybrid mode and primary Administration is performed in AD but there are some Cloud Only objects.

So, first I want to say that to solve my problem I used MS Graph calls (with Invoke-RestMethod).

The following code snippet has a lot (most) of my error checking removed. And has an accomodation for an ampersand in one of our group names

# Get access token for Microsoft Graph API
$token = $Context.CloudServices.GetAzureAuthAccessToken()
# build the URI for the query - URL encode the &
$myName = ("'%name%'").Replace("&", "%%26")
$url = 'https://graph.microsoft.com/v1.0/groups?$filter=displayName eq ' + $myName + '&$select=id,displayName'
# contact MS Graph
$response = Invoke-RestMethod -Method GET `
            -uri $url `
            -Headers @{Authorization="Bearer $token"}
# get result
$myAzureID = $Response.Value.ID

I went and registered my Azure tenant in Adaxes and it is fantastic. By I blew my licensing count out of the water. I'm getting double charged for objects that exist in my on premise and cloud directories. Of course it would be nice if adaxes could see that and handle it automatically ... but I am not unfamiliar with managing my 'Restricted Users' list via a Schedfuled Task' and will be working on that.

Thanks again for all the support and timely responses.

---

Hello,

If you register a Microsoft Entra domain and a synchronized Active Directory domain in Adaxes, synchronized users will only be counted once toward the license limit, not twice.

---

Thank you for the clarification. It did slip my mind how many external users we have in our directory that are now hitting our license count.

I have been a customer for many years at different employers and your product and support have always been fantastic.

Thanks again.

---

Hello,

Thank you for your good words, it is much appreciated. We do our best for our customers!