-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathMEM_CreateGroups.ps1
More file actions
338 lines (240 loc) · 11.1 KB
/
MEM_CreateGroups.ps1
File metadata and controls
338 lines (240 loc) · 11.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
<#
.DESCRIPTION
Create Dynamic AzureAD groups from CSV file. Can use "GroupsFile" as parameter for the name of CSV file with the list of groups to create, file should be on same directory.
It can operate on a specified tenant or the default tenant associated with the provided credentials.
.NOTES
- The script now accepts an optional "TenantId" parameter to specify the Azure AD tenant where the groups will be created.
- Import filename and path should be provided as a parameter. The default path is the execution path, and the default filename is "MEM_CreateGroups.csv".
- The import file should contain the following headers: "GroupType", "GroupDisplayName", "GroupDescription", "GroupMembershipType", "GroupMembershipRule", "GroupOwner".
- Valid strings for "GroupMembershipType" are "AA" for assigned groups, "DD" for Dynamic Device groups, and "DU" for Dynamic User groups.
- The script checks for local administrative privileges and also verifies the AzureADPreview PowerShell module is installed.
Script created or based on Alex Durante's (tw:@ADurrante) Blog:
Source: https://letsconfigmgr.com/bulk-create-intune-groups-script/#The_Script
.EXAMPLE
.\MEM_CreateGroups.ps1 -GroupsFile "MEM_CreateGroups.csv"
Creates all groups listed in "MEM_CreateGroups.csv" file in the default tenant.
.\MEM_CreateGroups.ps1 -GroupsFile "MEM_CreateGroups.csv" -GroupsConfirm "Y"
Creates groups in "MEM_CreateGroups.csv" file in the default tenant, does not request confirmation before creating groups.
.\MEM_CreateGroups.ps1 -GroupsFile "MEM_CreateGroups.csv" -TenantId "your-tenant-id"
Creates all groups listed in "MEM_CreateGroups.csv" file in the specified tenant with ID "your-tenant-id".
.\MEM_CreateGroups.ps1 -GroupsFile "MEM_CreateGroups.csv" -GroupsConfirm "Y" -TenantId "your-tenant-id"
Creates groups in "MEM_CreateGroups.csv" file in the specified tenant with ID "your-tenant-id", does not request confirmation before creating groups.
#>
#region Settings
param (
[Parameter()]
[string]$GroupsFile = "MEM_CreateGroups.csv",
# Confirm has to be "N" to skip confirmation for each Group to be created
[string]$GroupsConfirm = "Y",
[string]$TenantId = $null # Add this parameter, default to $null
)
$Error.Clear()
$errMessage = ""
$t = Get-Date
$ImportPath = ".\"
$ImportFilename = $GroupsFile
$GroupsObj = New-Object PSObject
#Give me some space, please
Write-Host "`n`n"
#endregion Settings
#region Functions
# Verify if running as Local Administrator
function Test-IsAdmin {
If (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
# Does not have Admin privileges
Write-Host "Script needs to run with Administrative privileges"
Return $false
}
else {
# Yes, has Admin rights
Write-Host "Adminitrator rights have been confirmed"
Return $true
}
}
# Install Azure AD Preview PS Module and connect to Tenant.
function ConnectToAAD {
param (
[string]$TenantId = $null # Initialize TenantId to $null by default
)
# Check if AzureADPreview module is installed
if (-not (Get-Module -ListAvailable -Name AzureADPreview)) {
Write-Host "Installing AzureAD PowerShell Module" -ForegroundColor Green
try {
Install-Module -Name AzureADPreview -AllowClobber -Force -Scope CurrentUser
} catch {
Write-Host "Failed to install AzureADPreview Module. Please install it manually and rerun the script." -ForegroundColor Red
return $false
}
}
# Import Azure AD Preview Module
Write-Host "Importing AzureADPreview Module" -ForegroundColor Green
try {
Import-Module AzureADPreview -Force
} catch {
Write-Host "Failed to import AzureADPreview Module. Please resolve the issue and rerun the script." -ForegroundColor Red
return $false
}
# Sign into Azure AD
Write-Host "Please log into AzureAD" -ForegroundColor Green
try {
if ($null -eq $TenantId -or $TenantId -eq "") {
# Connect without TenantId if it's null or empty
Connect-AzureAD
} else {
# Connect with TenantId
Connect-AzureAD -TenantId $TenantId
}
} catch {
Write-Host "Failed to connect to Azure AD. Please check your credentials or TenantId and try again." -ForegroundColor Red
return $false
}
return $true
}
# Find user in AzureAD
function Find-AzureADUser {
param
(
[Parameter(Mandatory=$true)]
$aadUser
)
if (-not (($null -eq $aadUser) -or ($aadUser -eq ""))) {
try {
# Find user in Azure AD. If error, return $null.
$aadUserObj = Get-AzureADUser -Filter "userPrincipalName eq '$aadUser'"
}
catch {
# Error finding user, notify error, return null and keep going.
Write-Error "Error finding user $aadUSer in Azure AD`n`t$($error.Exception.Message)"
return $null
}
# Verify we have ID of Azure AD user
if (($null -eq $aadUserObj.ObjectId) -or ($aadUserObj.ObjectId -eq "")) {
# If we don't find owner ID, notify and return null.
Write-Warning "Didn't find user $aadUser, owner property will be left blank"
return $null
}
return $aadUserObj
}
else {
#Blank o null query returns null result.
return $null
}
}
#endregion Functions
#######################################################################
#region Main
#Verify if running as Admin, exit if not.
if (-not(Test-IsAdmin)) {
Exit 1
}
#Import file with groups to be created. End if can't import
try {
$GroupsObj = Import-Csv -Path "$ImportPath$ImportFilename"
}
catch {
Write-Host "Error importing $ImportFileName.`nPlease verify File name and/or extension.`nYou can use parameter ""GroupsFile"" to specify file name. `n`n" -ForegroundColor Red
Write-Error $error.Exception.Message
Exit 1
}
# Connect to Azure AD
$connectionResult = ConnectToAAD -TenantId $TenantId # Pass the TenantId parameter
# Check if connection was successful
if ($connectionResult -eq $false) {
Write-Host "Failed to connect to Azure AD. Exiting script." -ForegroundColor Red
exit 1 # Exit the script with an error code
}
$GroupsObj | Select-Object GroupType, GroupDisplayName, GroupDescription, GroupMembershipType, GroupMembershipRule, GroupOwner | Format-Table
#Create Groups
foreach ($Group in $GroupsObj) {
[string]$confirmGroup = $null
[string]$GroupTypes = $null
[bool]$GroupRoleAssign = $false
if (($Group.GroupMembershipType -eq "DU") -or ($Group.GroupMembershipType -eq "DD") -or ($Group.GroupMembershipType -eq "AA")) {
Write-Host "Creating Azure AD Group: $($Group.GroupDisplayName)" -ForegroundColor Green
# Get group information to variables
if (-not (($null -eq $Group.GroupDisplayName))) {
$Groupname = $Group.GroupDisplayName
$GroupDesc = $Group.GroupDescription
$GroupOwn = Find-AzureADUser ($Group.GroupOwner)
$confirmGroup = "N"
if ($Group.GroupAadRoles -eq "YES") {
$GroupRoleAssign = $true
}
}
else {
Write-Host "Can not create Group. `nGroup definition in file should specify a name. Please verify informations and headers in file" -ForegroundColor Red
continue
}
# In case of a Dynamic group, get the query rules to a variable and define GroupType variable as DynamicMembership
if (($Group.GroupMembershipType -eq "DU") -or ($Group.GroupMembershipType -eq "DD")) {
# Validate that query exists, assign variable needed or Dynamic Group
if (-not ($null -eq $Group.GroupMembershipRule)) {
$GroupQuery = $Group.GroupMembershipRule
$GroupTypes = "DynamicMembership"
}
else {
Write-Host "Can not create Dynamic Group. `nDynamic Group definition should specify query rules. Please verify information and headers in file" -ForegroundColor Red
continue
}
}
#Get confirmation before creating group
if ($Confirm -eq "N") {
$confirmGroup = "Y"
}
else {
$confirmGroup = $(Write-Host "`tPlease confirm that you want to create Azure AD Group ""$Groupname"" (Y/N)?: " -ForegroundColor Green -NoNewline; Read-Host)
}
if ($confirmGroup -eq "Y") {
try {
# Keep it simple, 2 different complete commands, depending if group is Dynamic or Assigned
if ($Group.GroupMembershipType -eq "AA") {
$AzureGroup = New-AzureADMSGroup `
-DisplayName "$Groupname" `
-Description "$GroupDesc" `
-MailEnabled $false `
-SecurityEnabled $true `
-IsAssignableToRole $GroupRoleAssign `
-MailNickname "$($Groupname.replace(' ',''))" `
-ErrorAction Stop
}
else {
$AzureGroup = New-AzureADMSGroup `
-DisplayName "$Groupname" `
-Description "$GroupDesc" `
-MailEnabled $false `
-SecurityEnabled $true `
-IsAssignableToRole $GroupRoleAssign `
-MailNickname "$($Groupname.replace(' ',''))" `
-GroupTypes $GroupTypes `
-MembershipRule "$GroupQuery" `
-MembershipRuleProcessingState 'On' `
-ErrorAction Stop
}
}
catch {
# If error, notify and continue.
$errMessage = $_.Exception.ErrorContent.Message
Write-Host "`tUnable to create $Groupname. `n`tERROR: $errMessage" -ForegroundColor Red
continue
}
# Define Owner for the new Group
if ($null -ne $GroupOwn) {
Add-AzureADGroupOwner -ObjectId "$($AzureGroup.Id)" -RefObjectId "$($GroupOwn.ObjectId)"
}
Write-Host "...Successfully created Azure AD Group $Groupname"
}
else {
Write-Host "`tAzure AD Group $Groupname was not created." -ForegroundColor Yellow
}
}
else {
Write-Host "`tAzure AD Group $Groupname was not created. You must specify Group Membership Type." -ForegroundColor Yellow
Write-Host "`tVerify Group file.`n`n" -ForegroundColor Yellow
Write-Host "`t Group Type can be AA for assgined group, DD for Dynamic Device, DU for Dynamic User. `n`t Please verify files and header." -ForegroundColor Yellow
}
}
# The end.
Write-Host "`nFinished creating Groups!"
# Give me some space, please.
Write-Host "`n`n"
#endregion Main"