Powershell同步租户之间的群组

huangapple
go评论112阅读模式
英文:

Powershell to Synchronize Groups Between Tenants

问题

我正在尝试将一个租户中的群组同步到另一个租户。我不关心群组成员,只关心群组名称。我希望能定期运行此操作,所以如果群组已经存在,就忽略并继续下一个。我在两个测试租户中都拥有全局管理员权限。

租户A = 源租户
租户B = 目标租户

错误信息:

  1. Get-AzureADGroup : 执行 GetGroups 时发生错误
  2. Code: Request_UnsupportedQuery
  3. Message: 不支持的查询
  4. RequestId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  5. DateTimeStamp: Thu, 06 Jul 2023 02:35:19 GMT
  6. HttpStatusCode: BadRequest
  7. HttpStatusDescription: Bad Request
  8. HttpResponseStatus: Completed
  9. At C:\Users\xxxxx\xxxxxxxx\GroupSync.ps1:14 char:22
  10. + ... tingGroup = Get-AzureADGroup -Filter "'DisplayName' eq '$groupname.Di ...
  11. +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  12.     + CategoryInfo          : NotSpecified: (:) [Get-AzureADGroup], ApiException
  13.     + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetGroup
  1. Group 'class Group {
  2.   DeletionTimestamp: 
  3.   ObjectId: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  4.   ObjectType: Group
  5.   Description:  
  6.   DirSyncEnabled: 
  7.   DisplayName: xxxxxxxxxxxxxxxxxxx
  8.   LastDirSyncTime: 
  9.   Mail: 
  10.   MailEnabled: False
  11.   MailNickName: NotSet
  12.   OnPremisesSecurityIdentifier: 
  13.   ProvisioningErrors: System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ProvisioningError]
  14.   ProxyAddresses: System.Collections.Generic.List`1[System.String]
  15.   SecurityEnabled: True
  16. }
  17. ' does not exist. Creating...
  18. New-AzureADGroup : 执行 NewGroup 时发生错误
  19. Code: Request_BadRequest
  20. Message: 属性 'displayName' 的值无效
  21. RequestId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  22. DateTimeStamp: Thu, 06 Jul 2023 02:35:20 GMT
  23. Details: PropertyName  - displayName, PropertyErrorCode  - InvalidLength
  24. HttpStatusCode: BadRequest
  25. HttpStatusDescription: Bad Request
  26. HttpResponseStatus: Completed
  27. At C:\Users\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxGroupSync.ps1:25 char:21
  28. + ... $newGroup = New-AzureADGroup -DisplayName "$groupName.DisplayName" -D ...
  29. +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  30.     + CategoryInfo          : NotSpecified: (:) [New-AzureADGroup], ApiException
  31.     + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewGroup
  1. Failed to create group 'class Group {
  2.   DeletionTimestamp: 
  3.   ObjectId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  4.   ObjectType: Group
  5.   Description:  
  6.   DirSyncEnabled: 
  7.   DisplayName: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  8.   LastDirSyncTime: 
  9.   Mail: 
  10.   MailEnabled: False
  11.   MailNickName: NotSet
  12.   OnPremisesSecurityIdentifier: 
  13.   ProvisioningErrors: System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ProvisioningError]
  14.   ProxyAddresses: System.Collections.Generic.List`1[System.String]
  15.   SecurityEnabled: True
  16. }

以下是我迄今为止的代码:

  1. # 连接到租户A
  2. Connect-AzureAD -TenantId xxxxxxxxxxxxxxxxxxx
  4. # 获取所有云端群组
  5. $groupNames = Get-AzureADGroup -All $true | Where-Object {$_.DirSyncEnabled -like ""}
  6. Disconnect-AzureAD
  8. # 连接到第二个租户
  9. Connect-AzureAD -TenantId xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  11. # 循环遍历每个群组名称并检查是否存在
  12. foreach ($groupName in $groupNames) {
  13.     $existingGroup = Get-AzureADGroup -Filter "'DisplayName' eq '$groupname.DisplayName'"
  15.     if ($existingGroup) {
  16.         Write-Host "群组 '$groupName' 已经存在。"
  17.     } else {
  18.         Write-Host "群组 '$groupName' 不存在。正在创建..."
  20.         # 使用所需的详细信息创建群组
  21.         #$groupDescription = "$groupName.Description"
  22.         $groupMailNickname = "NotSet"
  24.         $newGroup = New-AzureADGroup -DisplayName "$groupName.DisplayName" -Description "$groupname.Description" -MailNickname $groupMailNickname -SecurityEnabled $true -MailEnabled $false
  26.         if ($newGroup) {
  27.             Write-Host "群组 '$groupName' 创建成功。"
  28.         } else {
  29.             Write-Host "创建群组 '$groupName' 失败。"
  30.         }
  31.     }
  32. }
  33. Disconnect-AzureAD
英文:

I'm attempting to sync groups from one tenant to another. I don't care about group membership, just the group names. I'd like to run this on a schedule so if the group already exists, ignore and move to the next one. I have Global admin in both test tenants I'm working in.

Tenant A = Source
Tenant B = Destination

The errors:

  1. Get-AzureADGroup : Error occurred while executing GetGroups 
  2. Code: Request_UnsupportedQuery
  3. Message: Unsupported Query.
  4. RequestId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  5. DateTimeStamp: Thu, 06 Jul 2023 02:35:19 GMT
  6. HttpStatusCode: BadRequest
  7. HttpStatusDescription: Bad Request
  8. HttpResponseStatus: Completed
  9. At C:\Users\xxxxx\xxxxxxxx\GroupSync.ps1:14 char:22
  10. + ... tingGroup = Get-AzureADGroup -Filter "'DisplayName' eq '$groupname.Di ...
  11. +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  12.     + CategoryInfo          : NotSpecified: (:) [Get-AzureADGroup], ApiException
  13.     + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetGroup
  1. Group 'class Group {
  2.   DeletionTimestamp: 
  3.   ObjectId: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  4.   ObjectType: Group
  5.   Description:  
  6.   DirSyncEnabled: 
  7.   DisplayName: xxxxxxxxxxxxxxxxxxx
  8.   LastDirSyncTime: 
  9.   Mail: 
  10.   MailEnabled: False
  11.   MailNickName: NotSet
  12.   OnPremisesSecurityIdentifier: 
  13.   ProvisioningErrors: System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ProvisioningError]
  14.   ProxyAddresses: System.Collections.Generic.List`1[System.String]
  15.   SecurityEnabled: True
  16. }
  17. ' does not exist. Creating...
  18. New-AzureADGroup : Error occurred while executing NewGroup 
  19. Code: Request_BadRequest
  20. Message: Invalid value specified for property 'displayName' of resource 'Group'.
  21. RequestId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  22. DateTimeStamp: Thu, 06 Jul 2023 02:35:20 GMT
  23. Details: PropertyName  - displayName, PropertyErrorCode  - InvalidLength
  24. HttpStatusCode: BadRequest
  25. HttpStatusDescription: Bad Request
  26. HttpResponseStatus: Completed
  27. At C:\Users\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxGroupSync.ps1:25 char:21
  28. + ... $newGroup = New-AzureADGroup -DisplayName "$groupName.DisplayName" -D ...
  29. +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  30.     + CategoryInfo          : NotSpecified: (:) [New-AzureADGroup], ApiException
  31.     + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewGroup
  32.  
  1. Failed to create group 'class Group {
  2.   DeletionTimestamp: 
  3.   ObjectId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  4.   ObjectType: Group
  5.   Description:  
  6.   DirSyncEnabled: 
  7.   DisplayName: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  8.   LastDirSyncTime: 
  9.   Mail: 
  10.   MailEnabled: False
  11.   MailNickName: NotSet
  12.   OnPremisesSecurityIdentifier: 
  13.   ProvisioningErrors: System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ProvisioningError]
  14.   ProxyAddresses: System.Collections.Generic.List`1[System.String]
  15.   SecurityEnabled: True
  16. }

Here's what I've got so far

  1. # Connect to Tenant A
  2. Connect-AzureAD -TenantId xxxxxxxxxxxxxxxxxxx
  5. # Get All Cloud Groups
  6. $groupNames = Get-AzureADGroup -All $true | where-Object {$_.DirSyncEnabled -like ""}
  7. Disconnect-AzureAD
  9. # Connect To 2nd Tenant
  10. Connect-AzureAD -TenantId xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  12. # Loop through each group name and check if it exists
  13. foreach ($groupName in $groupNames) {
  14.     $existingGroup = Get-AzureADGroup -Filter "'DisplayName' eq '$groupname.DisplayName'"
  16.     if ($existingGroup) {
  17.         Write-Host "Group '$groupName' already exists."
  18.     } else {
  19.         Write-Host "Group '$groupName' does not exist. Creating..."
  20.         
  21.         # Create the group using the desired details
  22.         #$groupDescription = "$groupName.Description"
  23.         $groupMailNickname = "NotSet"
  24.         
  25.         $newGroup = New-AzureADGroup -DisplayName "$groupName.DisplayName" -Description "$groupname.Description" -MailNickname $groupMailNickname -SecurityEnabled $true -MailEnabled $false
  26.         
  27.         if ($newGroup) {
  28.             Write-Host "Group '$groupName' created successfully."
  29.         } else {
  30.             Write-Host "Failed to create group '$groupName'."
  31.         }
  32.     }
  33. }
  34. Disconnect-AzureAD

答案1

得分: 0

  1.  `TenantA` 同步到 `TenantB` 的群组已成功完成如下:
  3. ![在此输入图片描述](https://i.imgur.com/2mQAbiE.png)
  5. **`TenantA`** 中的群组如下所示:
  7. ![在此输入图片描述](https://i.imgur.com/Gw6Ur4u.png)
  9.  **`TenantB`** 门户中,群组已成功创建如下:
  11. ![在此输入图片描述](https://i.imgur.com/2UWsL1G.png)
英文:

To Sync the Groups from TenantA to TenantB, modify the script like below:

  1. # Connect to Tenant A
  2. Connect-AzureAD -TenantId "TenantA"
  4. # Get All Cloud Groups
  5. $groupNames = Get-AzureADGroup -All $true | Where-Object { -not $_.DirSyncEnabled }
  7. Disconnect-AzureAD
  9. # Connect To 2nd Tenant
  10. Connect-AzureAD -TenantId "TenantB"
  12. # Loop through each group name and check if it exists
  13. foreach ($groupName in $groupNames) {
  14.     $existingGroup = Get-AzureADGroup -Filter "DisplayName eq '$($groupName.DisplayName)'"
  16.     if ($existingGroup) {
  17.         Write-Host "Group '$($groupName.DisplayName)' already exists."
  18.     } else {
  19.         Write-Host "Group '$($groupName.DisplayName)' does not exist. Creating..."
  20.         
  21.         # Create the group using the desired details
  22.         $groupDescription = $groupName.Description
  23.         $groupMailNickname = "NotSet"
  24.         
  25.         $newGroup = New-AzureADGroup -DisplayName $groupName.DisplayName -Description $groupDescription -MailNickname $groupMailNickname -SecurityEnabled $true -MailEnabled $false
  26.         
  27.         if ($newGroup) {
  28.             Write-Host "Group '$($groupName.DisplayName)' created successfully."
  29.         } else {
  30.             Write-Host "Failed to create group '$($groupName.DisplayName)'."
  31.         }
  32.     }
  33. }
  34. Disconnect-AzureAD

The Groups from TenantA to TenantB sync'd successfully like below:

Powershell同步租户之间的群组

The Groups in TenantA looks like:

Powershell同步租户之间的群组

In the TenantB Portal, the Groups got created successfully like below:

Powershell同步租户之间的群组

huangapple
  • 本文由 发表于 2023年7月6日 10:43:59
  • 转载请务必保留本文链接:https://go.coder-hub.com/76625179.html
  • azure-active-directory
  • powershell
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定