| # Get all users from Azure AD
|
| Write-Host 'Fetching all users from Azure AD...'
|
| $users = Get-AzureADUser -All $true
|
|
|
| # Get all directory roles
|
| Write-Host 'Fetching all directory roles...'
|
| $roles = Get-AzureADDirectoryRole
|
|
|
| # Get all groups
|
| Write-Host 'Fetching all groups from Azure AD...'
|
| $groups = Get-AzureADGroup -All $true
|
|
|
| # Initialize an array to hold user information
|
| $userInfo = @()
|
|
|
| foreach ($user in $users) {
|
| Write-Host "Processing user: $($user.DisplayName) ($($user.UserPrincipalName))..."
|
|
|
| # Create a PSCustomObject for user details
|
| $userDetails = [PSCustomObject]@{
|
| UserPrincipalName = $user.UserPrincipalName
|
| DisplayName = $user.DisplayName
|
| Surname = $user.Surname
|
| GivenName = $user.GivenName
|
| AssignedRoles = '' # Placeholder for Assigned Roles
|
| NumberOfGroups = 0 # Counter for groups
|
| }
|
|
|
| # Initialize role properties
|
| Write-Host " Processing roles for user: $($user.DisplayName)..."
|
| foreach ($role in $roles) {
|
| # Get role members once for the current role
|
| $roleMembers = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
|
|
|
| # Check if the user is directly assigned to the role
|
| $isDirectMember = $roleMembers | Where-Object { $_.ObjectId -eq $user.ObjectId }
|
|
|
| # Initialize group membership flag
|
| $isGroupMember = $false
|
|
|
| # If not directly assigned, check group memberships
|
| if (-not $isDirectMember) {
|
| foreach ($member in $roleMembers) {
|
| # Validate that the member is a group
|
| if ($member.ObjectType -eq 'Group') {
|
| # Check if the user is a member of this group
|
| $groupMembers = Get-AzureADGroupMember -ObjectId $member.ObjectId
|
| if ($groupMembers | Where-Object { $_.ObjectId -eq $user.ObjectId }) {
|
| $isGroupMember = $true
|
| break # Exit loop if found
|
| }
|
| }
|
| }
|
| }
|
|
|
| # Set the membership status based on direct or group membership
|
| if ($isDirectMember -or $isGroupMember) {
|
| $userDetails.AssignedRoles += '/' # Use a forward slash for membership
|
| }
|
| }
|
|
|
| # Check group memberships for each group and count groups
|
| Write-Host " Processing groups for user: $($user.DisplayName)..."
|
| foreach ($group in $groups) {
|
| # Check if the user is a member of this group
|
| $groupMembers = Get-AzureADGroupMember -ObjectId $group.ObjectId
|
| if ($groupMembers | Where-Object { $_.ObjectId -eq $user.ObjectId }) {
|
| $userDetails.NumberOfGroups++ # Increment group counter
|
| $userDetails | Add-Member -MemberType NoteProperty -Name $group.DisplayName -Value '/' # Use a forward slash for membership
|
| } else {
|
| $userDetails | Add-Member -MemberType NoteProperty -Name $group.DisplayName -Value '' # Leave blank for non-members
|
| }
|
| }
|
|
|
| # Add the user details to the array as a custom object
|
| $userInfo += $userDetails
|
| }
|
|
|
| # Specify the path for the output CSV file
|
| $outputPath = 'AzureADUsers.csv'
|
|
|
| # Output the user information to a CSV file
|
| $userInfo | Export-Csv -Path $outputPath -NoTypeInformation -Encoding UTF8
|
|
|
| Write-Host 'User information has been exported to' $outputPath
|