machv/sync-ad-aad.ps1

## sync-ad-aad.ps1
param (
    [Parameter(Mandatory = $true)]
    [string]$sourceAadGroupName,
    [Parameter(Mandatory = $true)]
    [string]$destinationAdGRoupName,
    [Parameter(Mandatory = $false)]
    [bool]$RemoveUnmatched = $true
)

#region Azure Automations connect as RunAs
$ErrorActionPreference = "Stop"
try {
    $runAsConnection = Get-AutomationConnection -Name "AzureRunAsConnection"

    "Logging in to Azure Active Directory"
    Connect-AzureAD `
        -TenantId $runAsConnection.TenantId `
        -ApplicationId $runAsConnection.ApplicationId `
        -CertificateThumbprint $runAsConnection.CertificateThumbprint
} catch {
    if (!$runAsConnection) {
        $ErrorMessage = "Connection $connectionName not found."
        throw $ErrorMessage
    } else {
        Write-Error -Message $_.Exception
        throw $_.Exception
    }
}
#endregion

$credential = Get-AutomationPSCredential -Name "AD-Group-Sync-Worker"

#$credential = Get-Credential -UserName "worker" -Message "pw"
#$sourceAadGroupName = "AVPN Users"
#$destinationAdGRoupName = "Edge Pilot Users"
#$RemoveUnmatched = $true

$startDateTime = Get-Date
"Loading group members..."

Import-Module ActiveDirectory

$aadGroup = Get-AzureADGroup -Filter "DisplayName eq '$sourceAadGroupName'"
$aadGroupMembers = $aadGroup | Get-AzureADGroupMember -All $true

$adGroup = Get-ADGroup -Identity $destinationAdGRoupName -Credential $credential
$adGRoupMembers = Get-ADGroupMember -Identity $destinationAdGRoupName -Credential $credential

$seen = @()
$added = @()
$removed = @()

$member = $aadGroupMembers | Select -First 1 -Skip 0
foreach($member in $aadGroupMembers) {
    $adUser = Get-ADUser -Filter "UserPrincipalName -eq '$($member.UserPrincipalName)'" -ErrorAction SilentlyContinue
    if($adUser) { # cloud only accounts are not available in AD
        $count = ($adGRoupMembers | Where-Object DistinguishedName -EQ $aduser.DistinguishedName | Measure-Object).Count
        if($count -eq 0) {
            $adGroup | Add-ADGroupMember -Members $adUser -Credential $credential
            "[+] User $($member.UserPrincipalName) added to a group."
            $added += $adUser.DistinguishedName
        }
        else {
            "[ ] User $($member.UserPrincipalName) is already a member of the group."
        }
        $seen += $adUser.DistinguishedName
    } else {
        "[!] User $($member.UserPrincipalName) not found in AD"
    }
}

if($RemoveUnmatched -eq $true) {
    $member = $adGRoupMembers | select -First 1
    foreach($member in $adGRoupMembers) {

        if($member.DistinguishedName -notin $seen) {
            " [-] removing {0} from a group {1}" -f $member.UserPrincipalName, $destinationAdGRoupName
            $adGroup | Remove-ADGroupMember -Credential $credential -Members $member -Confirm:$false
            $removed += $member.distinguishedName
        }
    }
}
$duration = [Math]::Round(((Get-Date) - $startDateTime).TotalMinutes, 2)
"Sync finished after {0} minutes, users in destination group: {1}, added: {2}, removed: {3}" -f $duration, $seen.Count, $added.Count, $removed.Count
	param (
	[Parameter(Mandatory = $true)]
	[string]$sourceAadGroupName,
	[Parameter(Mandatory = $true)]
	[string]$destinationAdGRoupName,
	[Parameter(Mandatory = $false)]
	[bool]$RemoveUnmatched = $true
	)

	#region Azure Automations connect as RunAs
	$ErrorActionPreference = "Stop"
	try {
	$runAsConnection = Get-AutomationConnection -Name "AzureRunAsConnection"

	"Logging in to Azure Active Directory"
	Connect-AzureAD `
	-TenantId $runAsConnection.TenantId `
	-ApplicationId $runAsConnection.ApplicationId `
	-CertificateThumbprint $runAsConnection.CertificateThumbprint
	} catch {
	if (!$runAsConnection) {
	$ErrorMessage = "Connection $connectionName not found."
	throw $ErrorMessage
	} else {
	Write-Error -Message $_.Exception
	throw $_.Exception
	}
	}
	#endregion

	$credential = Get-AutomationPSCredential -Name "AD-Group-Sync-Worker"

	#$credential = Get-Credential -UserName "worker" -Message "pw"
	#$sourceAadGroupName = "AVPN Users"
	#$destinationAdGRoupName = "Edge Pilot Users"
	#$RemoveUnmatched = $true

	$startDateTime = Get-Date
	"Loading group members..."

	Import-Module ActiveDirectory

	$aadGroup = Get-AzureADGroup -Filter "DisplayName eq '$sourceAadGroupName'"
	$aadGroupMembers = $aadGroup \| Get-AzureADGroupMember -All $true

	$adGroup = Get-ADGroup -Identity $destinationAdGRoupName -Credential $credential
	$adGRoupMembers = Get-ADGroupMember -Identity $destinationAdGRoupName -Credential $credential

	$seen = @()
	$added = @()
	$removed = @()

	$member = $aadGroupMembers \| Select -First 1 -Skip 0
	foreach($member in $aadGroupMembers) {
	$adUser = Get-ADUser -Filter "UserPrincipalName -eq '$($member.UserPrincipalName)'" -ErrorAction SilentlyContinue
	if($adUser) { # cloud only accounts are not available in AD
	$count = ($adGRoupMembers \| Where-Object DistinguishedName -EQ $aduser.DistinguishedName \| Measure-Object).Count
	if($count -eq 0) {
	$adGroup \| Add-ADGroupMember -Members $adUser -Credential $credential
	"[+] User $($member.UserPrincipalName) added to a group."
	$added += $adUser.DistinguishedName
	}
	else {
	"[ ] User $($member.UserPrincipalName) is already a member of the group."
	}
	$seen += $adUser.DistinguishedName
	} else {
	"[!] User $($member.UserPrincipalName) not found in AD"
	}
	}

	if($RemoveUnmatched -eq $true) {
	$member = $adGRoupMembers \| select -First 1
	foreach($member in $adGRoupMembers) {

	if($member.DistinguishedName -notin $seen) {
	" [-] removing {0} from a group {1}" -f $member.UserPrincipalName, $destinationAdGRoupName
	$adGroup \| Remove-ADGroupMember -Credential $credential -Members $member -Confirm:$false
	$removed += $member.distinguishedName
	}
	}
	}
	$duration = [Math]::Round(((Get-Date) - $startDateTime).TotalMinutes, 2)
	"Sync finished after {0} minutes, users in destination group: {1}, added: {2}, removed: {3}" -f $duration, $seen.Count, $added.Count, $removed.Count