Request: AAD group owner support

[perbergland]

I'm porting some scripts from using the AzureAD module to instead use Az for cross platform purposes and found that there are no cmdlets for group ownership listing and manipulation (AzureAD is not supported on .net core).

Please add the following three cmdlets:

• Get-AzADGroupOwner like Get-AzureADGroupOwner
• Add-AzADGroupOwner like Add-AzureADGroupOwner
• Remove-AzADGroupOwner like Remove-AzureADGroupOwner

[lwajswaj]

I don't see in the SDK methods for managing group ownership.....

[markcowl]

05 -21 Milestone for cmdlet customizations on generated cmdlet code

[cormacpayne]

These cmdlets will be found in the set of generated of Resources cmdlets:

• Add-AzADGroupOwner
• Get-AzADGroupOwner
• Remove-AzADGroupOwner

You can find the full (tentative) list of cmdlets that will be generated for the Resources module here.

[dingmeng-xue]

https://github.com/Azure/azure-rest-api-specs/blob/29af97eb5d0f7685ce2698a2b08f0868f013bd1e/specification/graphrbac/data-plane/Microsoft.GraphRbac/stable/1.6/graphrbac.json#L1078

Microsoft.Azure.Graph.RBAC 3.8 is required.

[DevonK3]

Is there any update for adding Get-AzADGroupOwner to Az PowerShell 6.1.0 or later?

[dingmeng-xue]

Hi @DevonK3, since AAD graph will be deprecated soon. Current team is focusing on offering way to migrate to MSGraph. We have no plan to introduce new cmdlet on AAD graph now.

For urgent requirement, please use Get-AzureADGroupOwner from AzureAD powershell module.

[DevonK3]

Thanks, @dingmeng-xue but I cannot use AzureAD as I am using MacOS and AzureAD is only supported on WIN platforms. Do you know of another way I can obtain the AD Group Owners using PowerShell?

Also, if AAD Graph is going away, does that mean all of the Az.Resources module functions, like Get-AzAdGroup will be soon going away as well? What is the planned replacement? A new Az.Resources module using MSGraph? Will it be supported on MacOS/Linux?

[dingmeng-xue]

Hi DevonK3, you can get access token of AAD graph via Get-AzAccessToken -ResourceTypeName AadGraph and then use PowerShell native cmdlet Invoke-RestMethod to send request to AzureAD endpoint. The token of AAD graph needs to be added as part of headers.

As far as we know, https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-planning-checklist?view=graph-rest-1.0, AzAd cmdlet won't work once service is shut down. Our current initial plan is that we will keep AzAd cmdlet in Az.Resources till service is shutdown and introduce new parity MSGraph cmdlet into Az.Resources in this year. If so, MacOS and Linux will be supported. This is still plan. If you have any concern, please let us know. Involving @dcaro

[dcaro]

@DevonK3 we are working on migrating the *AzAD cmdlets from using AzureAD to using Microsoft Graph endpoint. In our current plans Az will continue to offer cmdlets that allows to manage the same resources than what we have today as part of Az.Resources. Unfortunately, this is not "just changing the endpoint" so the exposed cmdlets with look different but we plan to provide a migration path to ease this breaking change.

Without looking in much details, this is the corresponding cmdlets between AzureAD and MSGraph: Add-AzureADGroupOwner -> New-MgGroupOwnerByRef Get-AzureADGroupOwner -> Get-MgGroupOwner Remove-AzureADGroupOwner -> Currently missing equivalent in the MSGraph module.

[DevonK3]

You're awesome! Thanks for the response. Best of luck in your migration coding.

[cveld]

So the current *AzAD cmdlets are still using the deprecated Azure AD Graph API?

[dcaro]

We just released a preview of Az.Resources that uses MS Graph. Can you try it and share your feedback? More info here: https://techcommunity.microsoft.com/t5/azure-tools/azure-powershell-ignite-release/ba-p/2907139

[DevonK3]

Thanks, @dcaro. I cannot install preview as I use Homebrew to install PowerShell. But I will once GA.

One question, I don't see changes for providing PowerShell function for the AAD Group Owners in Az.Resources 5.0.0-preview changes

Currently, just these functions: Get-AzADGroup, Get-AzADGroupMember. How would I get the Owners?

[brishalkumar]

is there any update if we can use get-AzAdGroupOwner

[nrobert]

Hello Damien @dcaro ,

I understand that the target was to add Azure AD command in Az.Resources calling Ms Graph behind the scenes, and that it is the case from a specific release (Az 7 given this article, and Az.Resources from 5.1.0 given this one?).

I have several questions to be sure that my understanding is correct:

• the current available operations in Az.Resources don't include "Group owner" actions (Get / Add / Remove)?
• Is there any timeline regarding those operations?
• The best workaround would be to use Invoke-AzRestMethod as described in the blog post?

Thanks a lot for the visibility you could bring to us.

[dcaro]

@nrobert starting with Az 7, we are using the Microsoft Graph API for the operations pertaining to AzureAD. We do not return group owners in the current version and do not have this work planned at this time. We will prioritize according to the demand from the community or if this is needed to support an important Azure scenario.

Using Invoke-AzRestMethod is the best workaround at this time, here is a code sample for this:

$MyGroup = Get-AzADGroup -DisplayName $GroupDisplayName
Invoke-AzRestMethod "https://graph.microsoft.com/v1.0/groups/$($MyGroup.Id)/owners"

You can find more information in the API documentation: https://docs.microsoft.com/en-us/graph/api/group-list-owners?view=graph-rest-1.0&tabs=http

[nrobert]

Thanks for the clarification @dcaro , it's clear now and we have implemented the workaround yesterday.

To help you understand our scenario: we are creating Azure "environments" for projets. This means creating management groups, subscriptions, AAD groups to set RBAC roles on subs... by code. As we want to let our project teams be autonomous, we are only asking for a list of project owners, and we are setting them as owner of the AAD groups. With this setup,they (= project owners) are responsible of onboarding their members and don't need actions on our side

[JamesDLD]

Would be great thanks. This is what i am using as a workaround through Invoke-AzRestMethod -->

• Add-AzADGroupOwner

$type="users" #or "serviceprincipals"
$payload = @{ '@odata.id' = "https://graph.microsoft.com/v1.0/$type/$accountId" }
Invoke-AzRestMethod -Method POST $('https://graph.microsoft.com/v1.0/groups/' + $groupId + '/owners/$ref') -Payload $($payload | ConvertTo-Json)

Graph REST API: Add owners

• Get-AzADGroupOwner

$response = Invoke-AzRestMethod "https://graph.microsoft.com/v1.0/groups/$groupId/owners"
$owners = $($response.Content | ConvertFrom-Json ).value 

Graph REST API: List owners

• Remove-AzADGroupOwner

$uri = "https://graph.microsoft.com/v1.0/groups/$groupId/owners/$accountId/" + '$ref'
Invoke-AzRestMethod -Method DELETE -Uri $uri

Graph REST API: Remove owners

[saldroubi]

For pity sake please add Add-AzureADGroupOwner like functionality. It should be called Add-AzADGroupOwner instead of course. This has been open since 2019!

[christianacca]

When I started working with automating azure resources and azure AD, I had a decision point to make:

1. use az cli (in combination with ConvertFrom-Json to get back to working with the goodness of pwsh)
2. use the native Az modules

Being a fan of powershell, I went for Az modules... after working with the Az cmdlet's over the last 18 months, if I could turn back time I can honestly say I wouldn't hesitate and just go with option 1.

I could then just use az ad group owner add and be done

[dcaro]

Thanks for the additional feedback, we will provide an update about this feature request soon.

[VeryEarly]

group owner supported in version Az.Resources 6.8.0 and above, close this issue for now, please feel free to reopen it if you have further questions.