Skip to content

Instantly share code, notes, and snippets.

@SMSAgentSoftware
Last active November 10, 2022 14:53
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save SMSAgentSoftware/c9468f638dad3af747689cb931cd4fc8 to your computer and use it in GitHub Desktop.
Save SMSAgentSoftware/c9468f638dad3af747689cb931cd4fc8 to your computer and use it in GitHub Desktop.
Gets the transitive AAD group membership of an Intune managed device
## Requires the Microsoft.Graph.Intune module
## Examples:
$GroupMembership = Get-DeviceGroupMembership -DeviceName "PC001"
$GroupMembership = Get-DeviceGroupMembership -AADDeviceId "c089201c-ad84-1234-5678-00d06dc86d8f"
$GroupMembership | Sort Name | Out-GridView
# Is device a member of a specific group
$GroupMembership.Name -contains "Intune - All Windows 10 Workstations"
# Function
function Get-DeviceGroupMembership{
[CmdletBinding(DefaultParameterSetName='Name')]
Param(
[Parameter(Mandatory=$true,ParameterSetName='Name')]
[ValidateNotNullOrEmpty()]
[string]$DeviceName,
[Parameter(Mandatory=$true,ParameterSetName='Id')]
[ValidateNotNullOrEmpty()]
[string]$AADDeviceId
)
$ProgressPreference = 'SilentlyContinue'
# Get a user token for MS Graph
$GraphToken = Connect-MSGraph -PassThru
# Find the object id
If ($DeviceName)
{
$URL = "https://graph.microsoft.com/v1.0/devices?`$filter=displayName eq '$DeviceName'&`$select=id"
}
If ($AADDeviceId)
{
$URL = "https://graph.microsoft.com/v1.0/devices?`$filter=deviceId eq '$AADDeviceID'&`$select=id"
}
$headers = @{'Authorization'="Bearer " + $GraphToken}
$D_Response = Invoke-WebRequest -Uri $URL -Method GET -Headers $Headers -UseBasicParsing
If ($D_Response.StatusCode -eq 200)
{
# Check for duplicates
$DeviceId = ($D_Response.Content | ConvertFrom-Json).Value.id
If ($DeviceId.Count -gt 1)
{
Write-Warning "Multiple devices found. Please pass a unique devicename or AAD device Id!"
Return
}
else
{
If ($DeviceId)
{
# Get the group membership
$URL = "https://graph.microsoft.com/beta/devices/$DeviceId/memberOf?`$select=displayName,description,id,groupTypes,membershipRule,membershipRuleProcessingState"
$G_Response = Invoke-WebRequest -Uri $URL -Method GET -Headers $Headers -UseBasicParsing
If ($G_Response.StatusCode -eq 200)
{
$Groups = ($G_Response.Content | ConvertFrom-Json).Value
}
# Get the transitive group membership
$URL = "https://graph.microsoft.com/beta/devices/$DeviceId/transitiveMemberOf?`$select=displayName,description,id,groupTypes,membershipRule,membershipRuleProcessingState"
$TG_Response = Invoke-WebRequest -Uri $URL -Method GET -Headers $Headers -UseBasicParsing
If ($TG_Response.StatusCode -eq 200)
{
$TransitiveGroups = ($TG_Response.Content | ConvertFrom-Json).Value
}
}
else
{
Write-Warning "Device not found!"
}
}
}
else
{
Return
}
# If results found
If ($Groups.Count -ge 1 -or $TransitiveGroups.Count -ge 1)
{
# Create a datatable to hold the groups
$DataTable = [System.Data.DataTable]::New()
$Columns = @()
@(
'Name'
'Description'
'Object Id'
'Membership Type'
'Direct or Transitive'
'Membership Rule'
'Membership Rule Processing State'
) | foreach {
$Columns += [System.Data.DataColumn]::new("$_")
}
$DataTable.Columns.AddRange($Columns)
# Add the groups
foreach ($Group in $Groups)
{
If (($Group.groupTypes | Select -First 1) -eq "DynamicMembership")
{$MembershipType = "Dynamic"}
Else {$MembershipType = "Assigned"}
[void]$DataTable.Rows.Add($Group.displayName,$Group.description,$Group.id,$MembershipType,"Direct",$Group.membershipRule,$Group.membershipRuleProcessingState)
}
# Add the transitive groups
foreach ($TransitiveGroup in ($TransitiveGroups | where {$_.id -NotIn $Groups.id}))
{
If (($TransitiveGroup.groupTypes | Select -First 1) -eq "DynamicMembership")
{$MembershipType = "Dynamic"}
Else {$MembershipType = "Assigned"}
[void]$DataTable.Rows.Add($TransitiveGroup.displayName,$TransitiveGroup.description,$TransitiveGroup.id,$MembershipType,"Transitive",$TransitiveGroup.membershipRule,$TransitiveGroup.membershipRuleProcessingState)
}
Return $DataTable
}
}
@danielpuls
Copy link

danielpuls commented Aug 4, 2022

Download the PS1, run it and got this error:

"Importing modules...You cannot call a method on a null-valued expression"

Any idea?
Screenshot 2022-08-04 132903

@SMSAgentSoftware
Copy link
Author

Download the PS1, run it and got this error:

"Importing modules...You cannot call a method on a null-valued expression"

Any idea? Screenshot 2022-08-04 132903

Your commenting on the wrong script, but I'm guessing you don't have the SMS variable set, eg

Import-Module $env:SMS_ADMIN_UI_PATH.Replace('i386','ConfigurationManager.psd1') -ErrorAction Stop

@danielpuls
Copy link

danielpuls commented Aug 4, 2022

Thanks for the fast answer, Trevor.
You´re right, I comment on the wrong script, can you move this comments?

And you´re also right with the missing SMS module, I have overseen that if I use the switch -All this module is necessary.
Thanks, working fine!

@SMSAgentSoftware
Copy link
Author

Thanks for the fast answer, Trevor. You´re right, I comment on the wrong script, can you move this comments?

And you´re also right with the missing SMS module, I have overseen that if I use the switch -All this module is necessary. Thanks, working fine!

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment