Is there a way to read Azure Active directory Group (Service or Microsoft 365) programmatically?
Yes, there are different ways to do it, and one of them is through C-sharp with the help of AAD-App with required permissions.
Let's see with the following example.
Pre-requisite
- Create an AAD App
- Get the AAD Group Member Reader & User Read All permission through Microsoft Graph (application permission)
- Create a client secret (we'll use this to access your AAD Group information in the context of AAD App)
- Create a CSharp project (detail mentioned below)
Create an AAD App with AAD GroupMember read & user read all permission
Step 1
Create an aad app: Login to azure portal
=> Azure Active Directory
=> App registration
=> Create a new app
Step 2
Once AAD App is created (e.g.: AADGroupReader)
Open it.
Go to its API Permissions.
Click on Add Permission.
From right-hand side select "Microsoft Graph"
Now you have to search with Keyword "User" and select "User.Read.All"
And also search for keyword "Group" and select "GroupMember.ReadWrite.All"
Once you've selected both, click "Add permission."
Now on the API permission, you can see both "User.Read.All" & "GroupMember.Read.All" got added.
But you will notice that status is "Not granted for default...."
If you're AAD Admin you can Grant admin consent.
If you're not AAD Admin you may have to contact your admin to grant admin consent.
If you are the AAD admin, you can grant the consent like this.
Click on "Grant admin consent for default directory" And click "Yes" from the pop-up like this.
Once admin consent is granted, you can see a status bar with Green check-mark.
Now let's create the client secret and save the created client secret in a safe place (e.g.: Key vault).
Click on "Certificates & secretes"
New client secret
Copy the client secret and save it at a safe place.
With this, we're good with accessing our AAD Group and its user detail using AAD App context (SPN context).
Now use CSharp and get the AAD group member detail with the help of created AAD App,
Step 1
Open Visual Studio
Step 2
Create a console app.
Step 3
Install these libraries through Nuget package.
Install these 3 libraries using NuGet package manager
- Microsoft.Graph;
- Microsoft.Graph.Auth; // at this time it's in Preview mode.
- Microsoft.Identity.Client;
Step 4
Write an AADGroupReader class like this.
In this code snipped replace your ClientId, TenantId & clientSecret of your own app & group.
Step 5
Assume that we have an AAD Group with the name "testaddgroup" having one user with the name "Test User"
Code snipped to read the AAD Group & fetch the user summary.
Utility method to get the group member
- public List GetGroupMembers(string groupName)
- {
- var userList = new List();
- try
- {
- var clientId = "your-aad-app-client-id";
- var tenantId = "your-tenant-id";
- var secret = "your-aad-app-client-secret";
- IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
- .Create(clientId)
- .WithTenantId(tenantId)
- .WithClientSecret(secret)
- .Build();
-
- IAuthenticationProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
- GraphServiceClient graphClient = new GraphServiceClient(authProvider);
-
- var groupsDetails = graphClient.Groups.Request()
- .Filter($"startswith(displayName,'{groupName}')") // TODO: optimize this filter criteria based on your need
- .GetAsync()
- .ConfigureAwait(false)
- .GetAwaiter()
- .GetResult()
- .ToList()
- .Where(x => string.Equals(x.DisplayName, groupName, StringComparison.InvariantCultureIgnoreCase))
- .FirstOrDefault();
-
-
- var groupObjectId = groupsDetails.Id;
- var groupMembers = graphClient.Groups[groupObjectId]
- .TransitiveMembers // To get the recursive members (if there is another member group, it will also get that groups member list)
-
- .Request()
- .GetAsync()
- .ConfigureAwait(false)
- .GetAwaiter()
- .GetResult();
-
-
- foreach (var mem in groupMembers.ToList())
- {
-
- if (mem.GetType() == typeof(User))
- {
- var myUser = graphClient.Users[mem.Id].Request().GetAsync()
- .ConfigureAwait(false)
- .GetAwaiter()
- .GetResult();
-
- User forUser = (User)mem;
-
- userList.Add(new AadGroupMember
- {
- ObjectId = forUser.Id,
- UserPrincipalName = forUser.UserPrincipalName,
- Name = forUser.DisplayName,
- Email = forUser.Mail,
-
- });
- }
- }
-
- return userList;
- }
- catch (Exception ex)
- {
- throw;
- }
- }
-
Helping entity:
- public class AadGroupMember
- {
- public string ObjectId { get; set; }
- public string Name { get; set; }
- public string UserPrincipalName { get; set; }
- public string Email { get; set; }
- }