Powershell同步租户之间的群组

huangapple
go评论85阅读模式
英文:

Powershell to Synchronize Groups Between Tenants

问题

我正在尝试将一个租户中的群组同步到另一个租户。我不关心群组成员,只关心群组名称。我希望能定期运行此操作,所以如果群组已经存在,就忽略并继续下一个。我在两个测试租户中都拥有全局管理员权限。

租户A = 源租户
租户B = 目标租户

错误信息:

Get-AzureADGroup : 执行 GetGroups 时发生错误
Code: Request_UnsupportedQuery
Message: 不支持的查询
RequestId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DateTimeStamp: Thu, 06 Jul 2023 02:35:19 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\Users\xxxxx\xxxxxxxx\GroupSync.ps1:14 char:22
+ ... tingGroup = Get-AzureADGroup -Filter "'DisplayName' eq '$groupname.Di ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-AzureADGroup], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetGroup

Group 'class Group {
  DeletionTimestamp: 
  ObjectId: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  ObjectType: Group
  Description:  
  DirSyncEnabled: 
  DisplayName: xxxxxxxxxxxxxxxxxxx
  LastDirSyncTime: 
  Mail: 
  MailEnabled: False
  MailNickName: NotSet
  OnPremisesSecurityIdentifier: 
  ProvisioningErrors: System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ProvisioningError]
  ProxyAddresses: System.Collections.Generic.List`1[System.String]
  SecurityEnabled: True
}
' does not exist. Creating...
New-AzureADGroup : 执行 NewGroup 时发生错误
Code: Request_BadRequest
Message: 属性 'displayName' 的值无效
RequestId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DateTimeStamp: Thu, 06 Jul 2023 02:35:20 GMT
Details: PropertyName  - displayName, PropertyErrorCode  - InvalidLength
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\Users\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxGroupSync.ps1:25 char:21
+ ... $newGroup = New-AzureADGroup -DisplayName "$groupName.DisplayName" -D ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADGroup], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewGroup

Failed to create group 'class Group {
  DeletionTimestamp: 
  ObjectId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  ObjectType: Group
  Description:  
  DirSyncEnabled: 
  DisplayName: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  LastDirSyncTime: 
  Mail: 
  MailEnabled: False
  MailNickName: NotSet
  OnPremisesSecurityIdentifier: 
  ProvisioningErrors: System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ProvisioningError]
  ProxyAddresses: System.Collections.Generic.List`1[System.String]
  SecurityEnabled: True
}

以下是我迄今为止的代码:

# 连接到租户A
Connect-AzureAD -TenantId xxxxxxxxxxxxxxxxxxx

# 获取所有云端群组
$groupNames = Get-AzureADGroup -All $true | Where-Object {$_.DirSyncEnabled -like ""}
Disconnect-AzureAD

# 连接到第二个租户
Connect-AzureAD -TenantId xxxxxxxxxxxxxxxxxxxxxxxxxxxx

# 循环遍历每个群组名称并检查是否存在
foreach ($groupName in $groupNames) {
    $existingGroup = Get-AzureADGroup -Filter "'DisplayName' eq '$groupname.DisplayName'"

    if ($existingGroup) {
        Write-Host "群组 '$groupName' 已经存在。"
    } else {
        Write-Host "群组 '$groupName' 不存在。正在创建..."

        # 使用所需的详细信息创建群组
        #$groupDescription = "$groupName.Description"
        $groupMailNickname = "NotSet"

        $newGroup = New-AzureADGroup -DisplayName "$groupName.DisplayName" -Description "$groupname.Description" -MailNickname $groupMailNickname -SecurityEnabled $true -MailEnabled $false

        if ($newGroup) {
            Write-Host "群组 '$groupName' 创建成功。"
        } else {
            Write-Host "创建群组 '$groupName' 失败。"
        }
    }
}
Disconnect-AzureAD
英文:

I'm attempting to sync groups from one tenant to another. I don't care about group membership, just the group names. I'd like to run this on a schedule so if the group already exists, ignore and move to the next one. I have Global admin in both test tenants I'm working in.

Tenant A = Source
Tenant B = Destination

The errors:

Get-AzureADGroup : Error occurred while executing GetGroups 
Code: Request_UnsupportedQuery
Message: Unsupported Query.
RequestId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DateTimeStamp: Thu, 06 Jul 2023 02:35:19 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\Users\xxxxx\xxxxxxxx\GroupSync.ps1:14 char:22
+ ... tingGroup = Get-AzureADGroup -Filter "'DisplayName' eq '$groupname.Di ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-AzureADGroup], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetGroup

Group 'class Group {
  DeletionTimestamp: 
  ObjectId: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  ObjectType: Group
  Description:  
  DirSyncEnabled: 
  DisplayName: xxxxxxxxxxxxxxxxxxx
  LastDirSyncTime: 
  Mail: 
  MailEnabled: False
  MailNickName: NotSet
  OnPremisesSecurityIdentifier: 
  ProvisioningErrors: System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ProvisioningError]
  ProxyAddresses: System.Collections.Generic.List`1[System.String]
  SecurityEnabled: True
}
' does not exist. Creating...
New-AzureADGroup : Error occurred while executing NewGroup 
Code: Request_BadRequest
Message: Invalid value specified for property 'displayName' of resource 'Group'.
RequestId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DateTimeStamp: Thu, 06 Jul 2023 02:35:20 GMT
Details: PropertyName  - displayName, PropertyErrorCode  - InvalidLength
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\Users\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxGroupSync.ps1:25 char:21
+ ... $newGroup = New-AzureADGroup -DisplayName "$groupName.DisplayName" -D ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADGroup], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewGroup
 

Failed to create group 'class Group {
  DeletionTimestamp: 
  ObjectId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  ObjectType: Group
  Description:  
  DirSyncEnabled: 
  DisplayName: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  LastDirSyncTime: 
  Mail: 
  MailEnabled: False
  MailNickName: NotSet
  OnPremisesSecurityIdentifier: 
  ProvisioningErrors: System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ProvisioningError]
  ProxyAddresses: System.Collections.Generic.List`1[System.String]
  SecurityEnabled: True
}

Here's what I've got so far

# Connect to Tenant A
Connect-AzureAD -TenantId xxxxxxxxxxxxxxxxxxx


# Get All Cloud Groups
$groupNames = Get-AzureADGroup -All $true | where-Object {$_.DirSyncEnabled -like ""}
Disconnect-AzureAD

# Connect To 2nd Tenant
Connect-AzureAD -TenantId xxxxxxxxxxxxxxxxxxxxxxxxxxxx

# Loop through each group name and check if it exists
foreach ($groupName in $groupNames) {
    $existingGroup = Get-AzureADGroup -Filter "'DisplayName' eq '$groupname.DisplayName'"

    if ($existingGroup) {
        Write-Host "Group '$groupName' already exists."
    } else {
        Write-Host "Group '$groupName' does not exist. Creating..."
        
        # Create the group using the desired details
        #$groupDescription = "$groupName.Description"
        $groupMailNickname = "NotSet"
        
        $newGroup = New-AzureADGroup -DisplayName "$groupName.DisplayName" -Description "$groupname.Description" -MailNickname $groupMailNickname -SecurityEnabled $true -MailEnabled $false
        
        if ($newGroup) {
            Write-Host "Group '$groupName' created successfully."
        } else {
            Write-Host "Failed to create group '$groupName'."
        }
    }
}
Disconnect-AzureAD

答案1

得分: 0

`TenantA` 同步到 `TenantB` 的群组已成功完成如下:

![在此输入图片描述](https://i.imgur.com/2mQAbiE.png)

**`TenantA`** 中的群组如下所示:

![在此输入图片描述](https://i.imgur.com/Gw6Ur4u.png)

**`TenantB`** 门户中,群组已成功创建如下:

![在此输入图片描述](https://i.imgur.com/2UWsL1G.png)
英文:

To Sync the Groups from TenantA to TenantB, modify the script like below:

# Connect to Tenant A
Connect-AzureAD -TenantId "TenantA"

# Get All Cloud Groups
$groupNames = Get-AzureADGroup -All $true | Where-Object { -not $_.DirSyncEnabled }

Disconnect-AzureAD

# Connect To 2nd Tenant
Connect-AzureAD -TenantId "TenantB"

# Loop through each group name and check if it exists
foreach ($groupName in $groupNames) {
    $existingGroup = Get-AzureADGroup -Filter "DisplayName eq '$($groupName.DisplayName)'"

    if ($existingGroup) {
        Write-Host "Group '$($groupName.DisplayName)' already exists."
    } else {
        Write-Host "Group '$($groupName.DisplayName)' does not exist. Creating..."
        
        # Create the group using the desired details
        $groupDescription = $groupName.Description
        $groupMailNickname = "NotSet"
        
        $newGroup = New-AzureADGroup -DisplayName $groupName.DisplayName -Description $groupDescription -MailNickname $groupMailNickname -SecurityEnabled $true -MailEnabled $false
        
        if ($newGroup) {
            Write-Host "Group '$($groupName.DisplayName)' created successfully."
        } else {
            Write-Host "Failed to create group '$($groupName.DisplayName)'."
        }
    }
}
Disconnect-AzureAD

The Groups from TenantA to TenantB sync'd successfully like below:

Powershell同步租户之间的群组

The Groups in TenantA looks like:

Powershell同步租户之间的群组

In the TenantB Portal, the Groups got created successfully like below:

Powershell同步租户之间的群组

huangapple
  • 本文由 发表于 2023年7月6日 10:43:59
  • 转载请务必保留本文链接:https://go.coder-hub.com/76625179.html
  • azure-active-directory
  • powershell
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定