0

I'm currently rewriting a few PowerShell commands for retrieving user and group information from AAD. Previously we used the Connect-MSOLService and Get-MSOLGroup commands to fetch information about groups. Due to preparations for MS MFA requirements we are now trying to use Connect-AzureAD and Get-AzureADGroup commands with MFA for setting up the connection and retrieving information from AAD instead.

The problem I encountered was in missing/difference in attributes retrieved by the commands. For example, when retrieving groups with the Get-MSOLGroup command we had access to the CommonName property of all groups. However, using the Get-AzureADGroup command this property is no longer present on the objects returned as a result. See the images below for the properties available between the two commands. enter image description here

enter image description here

I have spent quite some time trying to figure this out and can't seem to find any documentation or explanation for the differences between the properties retrieved by the commands. Have anyone come across this before, have any suggestions for a workaround or have a different approach for retrieving the same attributes provided by the Get-MSOLGroup command using Get-AzureADGroup (or equivalent)?

Worth mentioning is that we search for groups by their CommonName attribute to check their existence from our on-prem application. I have also tried using the Get-AzureADMSGroup command, but it seems to return the same properties attached to each group. The groups are created in a on-prem AD and then synced to AAD by using Azure AD Connect.

Update:

Added the query we are currently running to check existence of groups based on their CommonName in the image below. enter image description here

Marcus Hanikat
  • 67
  • 7
  • Hello , can you please provide an example output of MSOL Group which has a Common Name attribute value to help me understand ..? – Ansuman Bal Oct 14 '21 at 10:19
  • Hi, I added an image showing the result of the query we are currently using to identify groups in AAD from our on-prem application. This is currently the only property which our on-prem application and AAD have knowledge of what it is supposed to be. This field is unique for all groups and therefore used to identify them when they have been exported to AAD from our on-prem AD. – Marcus Hanikat Oct 14 '21 at 13:33
  • 1
    Can you please check if mailNickName from azure ad module serves the purpose Of common name from msol module ? Please let me know – Ansuman Bal Oct 14 '21 at 13:50
  • I think you're on to something! This certainly seems to be the case. I have to check a couple of more groups to make sure. It seems weird though that mailNickname from our on-prem AD is not synced to this field, we are not using it for groups and thus it has value ''... This feels like unexpected behaviour? Do you have any source where you found the source of this mapping? – Marcus Hanikat Oct 14 '21 at 14:17
  • Great !! but if you are talking about groups synced from onprem-AD to Azure AD the unique identifier seems you can also use onpremsises secretidentifier as that is unique and only present if onprem ad is synced to azure ad – Ansuman Bal Oct 14 '21 at 14:58
  • 1
    Also , I suggested mailnickname as the attribute CN get synced to Azure AD as per this [Document](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized#azure-rms) "Most often the prefix of [mail] value." – Ansuman Bal Oct 14 '21 at 15:12
  • Hi, sorry I was delayed a bit with the testing, but everything seems to be working now! MailNickName seems to allways follow the value of CommonName. Thank you so much for your help!! – Marcus Hanikat Oct 18 '21 at 14:34
  • np!! @MarcusHanikat, Glad to be of Help!! – Ansuman Bal Oct 18 '21 at 14:45

1 Answers1

1
  • As mentioned in comment section the CommonName of MSOL module mostly corelates with MailNickName of AzureAD module as per this Microsoft Document i.e. CN is mostly prefix of Mail which is same for MailnickName.
  • But if its not set for all the groups and if you are looking for unique identifier between the On-Prem AD and Azure AD then its better to use OnpremisesSecurityIdentifier of AzureAD module which will be on-premises group SID and it will be unique for AzureAD groups which are synced from on-prem.

Reference:

Similar SO thread for Graph API by Dan Kershaw - MSFT

Microsoft Document for customizing Attribution Mapping

Ansuman Bal
  • 9,705
  • 2
  • 10
  • 27