Hi, how do I check Azure AD Security group usage - a listing of groups in a tenant, and where they are used, Teams, SPI, RBAC groups, Enterprise Apps etc

Nesisa Chimboza 1 Reputation point
2022-02-22T21:35:36.043+00:00

Hi, how do I check Azure AD Security group usage - a listing of groups in a tenant, and where they are used, Teams, SPI, RBAC groups, Enterprise Apps etc

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,725 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,636 Reputation points
    2022-02-28T16:31:36.31+00:00

    Hello @Nesisa Chimboza ,

    Thanks for reaching out.

    There's no direct way to get usage information because Azure AD doesn't maintains usage information. Alternatively, you could use some custom script which includes respective services cmdlets such as Azure AD Application, Azure RBAC, Teams etc..,

    As a result, use the Get-AzureADGroup cmdlet to retrieve the Group objectID and then build your own logic to look up the below cmdlets to find out which services have group enabled. Please see the samples below for your reference:

    **Retrieve RBAC role assignments for a group: **
    Get-AzRoleAssignment | where {$_.ObjectId -like "{Group Object ID}"}
    Reference: https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azroleassignment?view=azps-7.2.0

    **Retrieve application role assignments of a group: **
    $GroupId = (Get-AzureADGroup -Top 1).ObjectId
    Get-AzureADGroupAppRoleAssignment -ObjectId $GroupId

    The first command gets the object ID of a group by using the Get-AzureADGroup (./Get-AzureADGroup.md)cmdlet. The command stores the ID in the $GroupId variable. The second command gets the application role assignments of the group in $GroupId.
    Reference: https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureadgroupapproleassignment?view=azureadps-2.0#example-1--retrieve-application-role-assignments-of-a-group

    **Retrieve team-enabled groups: **
    Get-Team -GroupId {Group Object ID}
    Reference: https://learn.microsoft.com/en-us/powershell/module/teams/get-team?view=teams-ps

    **Using Get-UnifiedGroup to Find Teams: **
    Get-UnifiedGroup -Filter {ResourceProvisioningOptions -eq "Team"} -ResultSize Unlimited

    **Finding Yammer-Enabled Groups: **
    Get-UnifiedGroup -ResultSize Unlimited |?{$_.GroupSku -eq "Yammer"}

    Hope this helps.

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.