Skip to content

Instantly share code, notes, and snippets.

@darrenjrobinson

darrenjrobinson/run.ps1

Last active Jun 1, 2021
Embed
What would you like to do?
Azure AD PowerShell Function to query Azure AD for a User to get their full object and their group memberships then send a summary email via SendGrid. Associated Blogpost https://blog.darrenjrobinson.com/subscribing-to-azure-ad-change-notifications-with-powershell/
using namespace System.Net
# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)
# Write to the Azure Functions log stream.
Write-Host "PowerShell AzureAD Query HTTP trigger function received a request."
Write-Host $Request.Body
# Write-Host $Request.Query
[string]$queryString = ($Request.Body)
$queryData = $queryString.Split("&")
$clientState = $queryData[0].Split("=")[1]
$userObject = $queryData[1].Split("=")[1]
write-host $queryString
write-host $queryData
Write-Host $clientState
Write-Host $userObject
if ($clientState -eq "$($env:clientStateValue)" -and ($userObject -like "Users/*")) {
# Valid Request
$clientSecret = (ConvertTo-SecureString "$($env:graphAutomationSecret)" -AsPlainText -Force )
$accessToken = (Get-MsalToken -clientID "$($env:graphAutomationClientID)" -clientSecret $clientSecret -tenantID "$($env:graphAutomationTenantID)").AccessToken
write-host "AADQuery AccessToken: $($accessToken)"
if ($accessToken) {
$updatedUser = $null
$updatedUserMemberships = $null
$userSummary = $null
$updatedUser = Invoke-RestMethod -Method Get `
-Uri "https://graph.microsoft.com/beta/$($userObject)" `
-Headers @{Authorization = "Bearer $($accessToken)" }
write-host "AADQUERY: Querying AAD for User ObjectID '$($userObject)'"
if ($updatedUser.userType -eq "Guest") {
# Get Memberships
$updatedUserMemberships = (Invoke-RestMethod -Method Get `
-Uri "https://graph.microsoft.com/v1.0/$($userObject)/transitiveMemberOf" `
-Headers @{Authorization = "Bearer $($accessToken)" }).value
$userSummary = @{
user = @($updatedUser)
groups = @($updatedUserMemberships.displayName)
}
write-host "USER: $($updatedUser)"
write-host "GROUPMemberships: $($updatedUserMemberships.displayName)"
} else {
write-host "USER TYPE: '$($updatedUser.userType)', so ignoring."
}
} else {
Write-Host "FAIL: No Access Token Received"
}
}
if ($userSummary) {
# Build Notification Email
$emailSubject = "Changed Azure AD User Object"
$emailBody = "Azure AD User Summary. `r`n `r`n $($userSummary.user | Out-String) `r`n `r`n Azure AD User Groups Summary `r`n `r`n $($userSummary.groups)"
$mail = @{
"personalizations" = @(
@{
"to" = @(
@{
"email" = "$($env:sendGridToAddress)"
}
)
}
)
"from" = @{
"email" = "$($env:sendGridFromAddress)"
}
"subject" = "$($emailSubject)"
"content" = @(
@{
"type" = "text/plain"
"value" = "$($emailBody)"
}
)
}
# Send Email Notification via SendGrid
if ($mail) {
Push-OutputBinding -Name message -Value (ConvertTo-Json -InputObject $mail -Depth 4)
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment