- Jamf Nation Community
- Products
- Jamf Pro
- Re: Shell script to check Entra (Azure) group memb...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Shell script to check Entra (Azure) group membership
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-24-2024 11:15 AM
Does anyone have a script they use to check membership of Microsoft Entra groups? Everything I'm finding is Powershell, and I need something that can run natively on Macs out of the box.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-24-2024 12:08 PM
If you're using Jamf Connect you could try to leverage the com.jamf.connect.state.plist.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-24-2024 12:35 PM
Depending on what you are trying to read you may be able to use the ldapsearch or the dhcl binaries, though a lot of Entra leans on Microsoft Graph API which you need PowerShell to use. Entra is a Microsoft utility, and the tool Microsoft makes to interface with their utility is PowerShell.
It's not out of the box macOS, but you can install PowerShell on Mac. Usually for people that need to lean heavy on Microsoft Workflows, I require them to get a Windows VM and just keep things native and simple.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-25-2024 12:46 PM
So I went down a similar path a few years ago. I wasn't reading a membership, but I was adding to a group. I originally tried testing reading first, but adding accomplished that by just giving an alternate result saying no addition was needed. I'm not sure if it was a custom add or not, but someone from one of our internal dev teams mentioned that you could use an API to accomplish this.
I read the currently signed in user, then go and find the UPN that's signed into company portal
AADUser=$(/usr/libexec/PlistBuddy -c "Print :aadUserId" /Users/$whoami/Library/Application\ Support/com.microsoft.CompanyPortalMac.usercontext.info)
Then take that result and run it through the below curl.
/usr/bin/curl -X POST 'https://yourdomain.azure.com/workflows/XXXXXXXXXXXX/triggers/manual/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=XXXXXXXXXXXX' -H 'Content-Type: application/json' -d '{ "RequesterUPN": "XXXXXXXXX@XXXXXXX.com", "TargetUserUPN": "'"$AADUser"'", "TargetGroupOID": "XXXXXXXXXXX-XXXXX-XXXXX", "Action": "add" }'
From there it was just formatting my API call properly.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
7 hours ago
Take a look at: MS Graph CLI
It has code samples for interactions with the binary in bash. We use it for password notifications to our end-users and currently looking to check the group memberships.
A piece of code goes something like this:
#Variables
currentUser=$( ls -l /dev/console | awk '{ print $3 }' )
export AZURE_TENANT_ID=
export AZURE_CLIENT_ID=
export AZURE_CLIENT_SECRET=
# Fetch UPN from Jamf Connect plist
UPN=$( defaults read /Users/"$currentUser"/Library/Preferences/com.jamf.connect.state.plist UserUPN )
# Should UPN be empty, fallback to manually set UPN
if [[ -z $UPN ]]; then
UPN="$currentUser@maildomain"
fi
# Login to MS Graph, fetch group membership and logout
/usr/local/bin/mgc login --strategy Environment
/usr/local/bin/mgc users member-of list --user-id "$UPN" --select "displayName,id" --consistency-level "eventual" | /usr/bin/jq -r ".[]"
/usr/local/bin/mgc logout 