Script to Export Members of an Azure AD Group to CSV Using Microsoft Graph
Azure AD Group Members Export Script
Section titled “Azure AD Group Members Export Script”Overview
Section titled “Overview”This script connects to the Microsoft Graph API to export members from a specific Azure AD group. It targets the “365-2fa” group and retrieves member details including UserPrincipalName and DisplayName, exporting the data to a structured CSV file for administrative and auditing purposes.
Key Features
Section titled “Key Features”| Feature | Capability | Business Value |
|---|---|---|
| Targeted Group Export | Specifically retrieves “365-2fa” group members | Focuses on MFA-enabled user groups |
| Member Property Selection | Exports UserPrincipalName and DisplayName | Provides essential user identification |
| Directory Validation | Verifies output directory exists before export | Prevents file system errors |
| Error Handling | Comprehensive try-catch blocks | Ensures graceful failure management |
Script Requirements
Section titled “Script Requirements”Ideal for: Azure AD administrators, security teams, and compliance officers
Prerequisites:
- Microsoft Graph PowerShell SDK installed
- Directory Reader or Global Administrator role
- Target group named “365-2fa” must exist
Implementation
Section titled “Implementation”# Prompt the user to enter Tenant Id or Primary domain$TenantId = Read-Host "Please enter Tenant Id or Primary domain"
# Define the scopes needed for the Microsoft Graph API permissions$Scopes = "User.Read.All,AuditLog.Read.All,Directory.Read.All"
# Connect to Microsoft GraphConnect-MgGraph -Scopes $Scopes
# Define group id$Group = Get-MgGroup -All | where {$_.DisplayName -like "365-2fa"}$GroupId = $Group.Id
# Define the output path$OutputPath = "C:\temp\MembersExport.csv"
# Check if the directory existsif (!(Test-Path -Path (Split-Path -Path $OutputPath -Parent))) { Write-Host "The directory does not exist. Please check the output path and try again." return}
# Export Members with specified propertiestry { Get-MgGroupTransitiveMember -All -GroupId $GroupId | Select-Object Id, @{Name="userPrincipalName"; Expression={$_.AdditionalProperties.userPrincipalName}}, @{Name="displayName"; Expression={$_.AdditionalProperties.displayName}} | Export-Csv -Path $OutputPath -NoTypeInformation Write-Host "Export successful. The file is located at $OutputPath"} catch { Write-Host "Failed to export users. Please check your permissions and try again."}Output Structure
Section titled “Output Structure”The generated CSV contains the following columns:
| Column | Description |
|---|---|
| Id | Unique identifier for the group member |
| userPrincipalName | User’s sign-in address (UPN) |
| displayName | User’s display name in the directory |
Configuration Options
Section titled “Configuration Options”Target Group Modification
Section titled “Target Group Modification”To export a different group, modify this line:
$Group = Get-MgGroup -All | where {$_.DisplayName -like "YOUR-GROUP-NAME"}Output Path Customization
Section titled “Output Path Customization”Change the export location by updating:
$OutputPath = "C:\Your\Custom\Path\GroupMembers.csv"Usage Scenarios
Section titled “Usage Scenarios”MFA Compliance Tracking
Section titled “MFA Compliance Tracking”- Monitor users enrolled in multi-factor authentication
- Generate reports for security audits
- Track 2FA adoption rates
Access Management
Section titled “Access Management”- Document group membership for compliance
- Review user access permissions
- Maintain audit trails
Key Takeaway: This script provides a streamlined approach to exporting Azure AD group membership data, essential for security compliance and access management workflows.