Posted on 04-24-2024 11:15 AM
Does anyone have a script they use to check membership of Microsoft Entra groups? Everything I'm finding is Powershell, and I need something that can run natively on Macs out of the box.
Posted on 04-24-2024 12:08 PM
If you're using Jamf Connect you could try to leverage the com.jamf.connect.state.plist.
Posted on 04-24-2024 12:35 PM
Depending on what you are trying to read you may be able to use the ldapsearch or the dhcl binaries, though a lot of Entra leans on Microsoft Graph API which you need PowerShell to use. Entra is a Microsoft utility, and the tool Microsoft makes to interface with their utility is PowerShell.
It's not out of the box macOS, but you can install PowerShell on Mac. Usually for people that need to lean heavy on Microsoft Workflows, I require them to get a Windows VM and just keep things native and simple.
Posted on 04-25-2024 12:46 PM
So I went down a similar path a few years ago. I wasn't reading a membership, but I was adding to a group. I originally tried testing reading first, but adding accomplished that by just giving an alternate result saying no addition was needed. I'm not sure if it was a custom add or not, but someone from one of our internal dev teams mentioned that you could use an API to accomplish this.
I read the currently signed in user, then go and find the UPN that's signed into company portal
AADUser=$(/usr/libexec/PlistBuddy -c "Print :aadUserId" /Users/$whoami/Library/Application\ Support/com.microsoft.CompanyPortalMac.usercontext.info)
Then take that result and run it through the below curl.
/usr/bin/curl -X POST 'https://yourdomain.azure.com/workflows/XXXXXXXXXXXX/triggers/manual/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=XXXXXXXXXXXX' -H 'Content-Type: application/json' -d '{ "RequesterUPN": "XXXXXXXXX@XXXXXXX.com", "TargetUserUPN": "'"$AADUser"'", "TargetGroupOID": "XXXXXXXXXXX-XXXXX-XXXXX", "Action": "add" }'
From there it was just formatting my API call properly.