Jamf self service to add user to Azure group

easyedc
Valued Contributor II

Hi All. I’ve tried searching but haven’t found any hits based on the search queries I’ve given, so i’ll try posting instead.  I’ve been tasked with writing a script that can be run from a Jamf Self Service action to add users to a specific Azure AD group.  My script should work, but seems to be failing. I’m getting a repeated error HTTP Error 411. The request must be chunked or have a content length. even when passing a flag to chunk it.  I’m not great at API, and Azure API is new to me.  Anyone out there have experience with that?  I can share my script, but wanted to make sure I’m not trying to do the impossible first.

#!/bin/sh

# Add a user to an Azure AD group.sh
#  
#
# Created by Ed on 2/28/23.
#
## Read the KerberosSSO plist to get shortname of signed in user
plistLoc="/Users/Shared/.KerberosSSO/"
plistName="com.apple.KerberosSSO.attributes.plist"
valueName="user_name"
foundItem=$(defaults read ${plistLoc}${plistName} ${valueName} | /usr/bin/awk -F '@' '{print $1}')
email=$foundItem@company.com
echo "$email"

## Get Access token for Graph API
Auth_token=$(/usr/bin/curl --location --request POST 'https://login.microsoftonline.com/ourdomain' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=password' --data-urlencode 'client_id=123456789-987654321' --data-urlencode 'client_secret=pretty-fancy-password' --data-urlencode 'scope=https://graph.microsoft.com/GroupMember.ReadWrite.All https://graph.microsoft.com/User.Read.All ' --data-urlencode 'username=secretserviceaccount@company.com ' --data-urlencode 'password=WhyDoYouWantMyPassword123? ')

## Get Current Group Members and then add them to the group
/usr/bin/curl --location --request GET 'https://graph.microsoft.com/v1.0/groups/123456789-987654321/members?$select=userPrincipalName' --header 'Transfer-Encoding: chunked' --header 'Content-Type: application/json' --header "Authorization: Bearer $Auth_token"

## Add found user to group
/usr/bin/curl --location --request POST 'https://graph.microsoft.com/v1.0/groups/123456789-987654321/members/$ref' --header 'Content-Type: application/json' --header "Authorization: Bearer $Auth_token"
--data-raw '{
  "@odata.id": "https://graph.microsoft.com/v1.0/users/$email"
}'

 

1 ACCEPTED SOLUTION

easyedc
Valued Contributor II

So I was able to solve this with a little help from our Azure team.  They had an Azure logic App registered that I could call with a POST command and it performs it with only native tools installed.  Adding the script below in case it helps anyone in the future.

#!/bin/sh

#  Automated Add to Group.sh
#
#
#  Created by Corfman, Ed on 4/3/23.
#
#
# Requirements -logic worflow registration - https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-overview Azure Logic access app registered. Azure Logic Apps is a cloud platform where you can create and run automated workflows with little to no code.
# RequesterUPN - Service Account is an account that has rights to add users to an Azure group
# TargetGroupOID - the unique ID of the group being managed
# Company portal regisration - the UPN of the user who regisetered the Mac in Company portal

# Get current user
whodis=$(/usr/bin/stat -f "%Su" /dev/console )

# Read the Company Portal plist to get the UPN of user
AADUser=$(/usr/libexec/PlistBuddy -c "Print :aadUserId" /Users/$whodis/Library/Application\ Support/com.microsoft.CompanyPortalMac.usercontext.info)

echo $AADUser

/usr/bin/curl -X POST 'https://logic.azure.com/workflows/auth/url/etc' -H 'Content-Type: application/json' -d '{ "RequesterUPN": "serviceaccount@company.com", "TargetUserUPN": "'"$AADUser"'", "TargetGroupOID": "xxxxxxxxx-xxx-xx-xxxxx-xxxxxx", "Action": "add" }'

exit 0

View solution in original post

3 REPLIES 3

spesh
New Contributor III

I don't have an exact answer or solution for you, but I can tell you that a 400 based error usually means there was an authorization issue. Although I have never used the Azure Graph API, you may need to refresh an authorization token or ensure you have the necessary privileges to be able to make calls to the API. 

In my brief dealings with automating Azure tasks, I found best success using Powershell. Powershell has an Active Directory Module that can be imported using RSAT tools (link to helpful Microsoft Learn article). Doesn't immediately help you in your task, but hopefully points you in a good direction! 

easyedc
Valued Contributor II

So I wrote it to run as a shell command specifically because that would work out of the box for any Mac user we have.  In playing around with it I had success using the Azure CLI and adding Homebrew  > jq module, but all those add-ons require installing Xcode and then Homebrew. Needing to install a 13gb+ application suite seems a little overkill. Powershell also now installs via Homebrew preferably, but does offer a direct download. I think PowerShell requires the Xcode CLI to be installed though?

easyedc
Valued Contributor II

So I was able to solve this with a little help from our Azure team.  They had an Azure logic App registered that I could call with a POST command and it performs it with only native tools installed.  Adding the script below in case it helps anyone in the future.

#!/bin/sh

#  Automated Add to Group.sh
#
#
#  Created by Corfman, Ed on 4/3/23.
#
#
# Requirements -logic worflow registration - https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-overview Azure Logic access app registered. Azure Logic Apps is a cloud platform where you can create and run automated workflows with little to no code.
# RequesterUPN - Service Account is an account that has rights to add users to an Azure group
# TargetGroupOID - the unique ID of the group being managed
# Company portal regisration - the UPN of the user who regisetered the Mac in Company portal

# Get current user
whodis=$(/usr/bin/stat -f "%Su" /dev/console )

# Read the Company Portal plist to get the UPN of user
AADUser=$(/usr/libexec/PlistBuddy -c "Print :aadUserId" /Users/$whodis/Library/Application\ Support/com.microsoft.CompanyPortalMac.usercontext.info)

echo $AADUser

/usr/bin/curl -X POST 'https://logic.azure.com/workflows/auth/url/etc' -H 'Content-Type: application/json' -d '{ "RequesterUPN": "serviceaccount@company.com", "TargetUserUPN": "'"$AADUser"'", "TargetGroupOID": "xxxxxxxxx-xxx-xx-xxxxx-xxxxxx", "Action": "add" }'

exit 0