Microsoft365DSC icon indicating copy to clipboard operation
Microsoft365DSC copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Cloud-only Group filtering

Open AdamPhils opened this issue 1 year ago • 4 comments

Description

Hello All, I am trying to get only cloud-only security groups using MS365DSC. I ued followed filtering option: Export-M365DSCConfiguration -Components @("AADGroup") -ApplicationId $ApplicationId -CertificateThumbprint $CertificateThumbprint -TenantId $TenantId -Filters @{AADGroup = "OnPremisesSyncEnabled eq null and SecurityEnabled eq true and mailEnabled eq false". Seems that module is not supporting "-ConsistencyLevel and -CountVariable" in code and this is blocking filtering but I am not expert. Is there any other way to filer out cloud-only groups or maybe I am approaching this in the wrong way?

Proposed properties

Cloud-only Group filtering

Special considerations or limitations

None

AdamPhils avatar Sep 18 '23 20:09 AdamPhils

Could you try to run this bit of code manually and check, if the return would match your expectations:

https://github.com/microsoft/Microsoft365DSC/blob/f40c27ba02d7785011954dff86614d585920cfd9/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1#L1045-L1057

Please run Connect-M365Tenant or Connect-MGGraph prior to that.

I assume, that the issue is more likely to be in Lines 1055 to 1057.

andikrueger avatar Sep 19 '23 07:09 andikrueger

Hi andikrueger, sorry for delay but I went into MS Graph 2.6.0 trap(bugged version) and only now I've been able to fix it. I ran the code but still I have the same error: Get-MgGroup : Unsupported or invalid query filter clause specified for property 'onPremisesSyncEnabled' of resource 'Group'. Status: 400 (BadRequest)

Maybe problem is in line 1050 "if ($Filter -like "endsWith")" - only then 'CountVariable' and 'ConsistencyLevel' are added to $ExportParameters and my filters are having 'eq' only

Thank you for having a look into this

AdamPhils avatar Sep 20 '23 19:09 AdamPhils

I would like only to add that I want to filer out synced groups as we have 200k of them and they are backed up on on-prem level.

AdamPhils avatar Sep 20 '23 19:09 AdamPhils

I would also like to be able to filter out our on-Premise AAD synched groups, since we have 25K+ groups. We are only interested in getting the Cloud-enabled groups. Please enable this filtering option!

It takes around 2 seconds to retrieve each group with the Export-M365DSCConfiguration cmdlet and with 25K groups, it currently takes 13+ hours to retrieve them - and that's only the AADGroups resource.

hao-public avatar Mar 21 '24 11:03 hao-public

Hello, I created my own script to dump all sec-only cloud groups and it seems to work fine.

AdamPhils avatar Sep 03 '24 19:09 AdamPhils