Skip to content

Get an AzureAD device group membership

Published March 22, 2020

When I first needed to see which groups a certain AAD device I thought that this would be very easy. I mean, if you want to get group membership for a user, you could just do that in the portal (via User-pane or the troubleshooting pane in Intune) or through the Get-AzureADUserMembership Powershell cmdlet.

However, it’s not that easy for a device. You can’t see it in the portal and there’s no equivalent to Get-AzureADUserMembership for a device.

So here is how you do it in PowerShell. I will be using the AzureAD-module for this. You could also do this via the Graph API, but using the AAD module is much more simple and also a lot less code.

First, we need to connect to AzureAD 

 Connect-AzureAD

Then we need to get all AAD-groups and assign it to the Groups-variable. We will also create an empty array which will hold all our objects which are returned from the query. 

$Groups = Get-AzureADGroup
$Arr = @()

Then we need to loop through every group and check if which groups our device is a member of. When a match is found, it is added to our array. 

ForEach($group in $groups) {
     $MemberOf = Get-AzureADGroupMember -ObjectId $group.objectid | Where-Object {$_.DisplayName -eq $DeviceName}  
     If($MemberOf) {
         $Arr += [PSCustomObject]@{
             GroupName = $Group.DisplayName
         }
     }
 }

If a group is found, we will output it. 

If($arr) {
            Write-Host -ForegroundColor Yellow  "Device $($DeviceName) is member of the following AAD-groups:"
            $arr
        } else {
            Write-Host -ForegroundColor Red "Device $($DeviceName) is not member of any groups. "
}

Here is a sample output:

PS C:\Users\RobinStenborg> Get-AzureADDeviceGroupMembership -DeviceName TFSB2
 Device TFSB2 is member of the following AAD-groups:
GroupName
--------------------
 grp-intune-insider
 grp-intune-testrstenborg

Here is the function in its entirety. In the code below I also added a check to see if the device exists in AAD.

Function Get-AzureADDeviceGroupMembership {
     param([parameter(Mandatory=$true)]$DeviceName)
     $Arr = @()
     $Groups = Get-AzureADGroup
     $Device = Get-AzureADDevice -Filter "displayname eq '$($DeviceName)'"
     If($Device) {
         ForEach($group in $groups) {
             $MemberOf = Get-AzureADGroupMember -ObjectId $group.objectid | Where-Object {$_.DisplayName -eq $DeviceName}  
             If($MemberOf) {
                 $arr += [PSCustomObject]@{
                     GroupName = $Group.DisplayName
                 }
             }
         }
         If($arr) {
             Write-Host -ForegroundColor Yellow  "Device $($DeviceName) is member of the following AAD-groups:"
             $arr
         } else {
             Write-Host -ForegroundColor Red "Device $($DeviceName) is not member of any groups. "
         }   
     } else {
         Write-Host "Device $($DeviceName) does not exist in AAD"
     }
 }

Published in AzureAD, Intune and Powershell

2 Comments

    • robinstenborg robinstenborg

      How do you mean? 🙂 How to add a device to a AAD group?

      September 18, 2023 Reply

Leave a Reply

Your email address will not be published. Required fields are marked *