How do I get groups from AAD using Powershell Function App?

Question

I want to get all users from certain groups in AAD using Powershell with a Function app, but I keep getting permission errors and I don't know how to assign them.

$groupsAD = [System.Collections.ArrayList]@()
      $groupsAD.Add('Group1')
      $groupsAD.Add('Group2')

foreach ($groupAD in $groupsAD) {
    $group = Get-AzADGroup -DisplayName $groupAD
    # further code

}

The error:

[Error] ERROR: Insufficient privileges to complete the operation.Exception :Type : System.ExceptionMessage : Insufficient privileges to complete the operation.HResult : -2146233088CategoryInfo : InvalidOperation: (:) [Get-AzADGroup], ExceptionFullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.GetAzureADGroupCommandInvocationInfo :MyCommand : Get-AzADGroupScriptLineNumber : 16OffsetInLine
: 14HistoryId : 1ScriptName : C:\home\site\wwwroot\HttpTrigger1\run.ps1Line : $group = Get-AzADGroup -DisplayName $groupADPositionMessage : At C:\home\site\wwwroot\HttpTrigger\run.ps1:16 char:14+ $group = Get-AzADGroup -DisplayName $groupAD

When creating this function locally it works fine after I authenticate with Connect-AzAccount. Also tried to create an identity and authenticate it with it, but as far as I know it's for Azure resources not AAD.

Answer 1

For this problem, here provide two solutions for your reference:

1. If you use username/password to do authentication in Connect-AzAccount command, you need to make sure the user account has required permission for get AD group. Then use the code below in your function:

$User = "{username}"
$PWord = ConvertTo-SecureString -String "{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
Connect-AzAccount -Credential $Credential

$group = Get-AzADGroup -DisplayName "{group name}"

2. If you do not want to use username/password to do authentication in your function. You can use service principal to do it.

First you need to register an app in your Azure AD, I registered an app named "huryGetToken6" in my Azure AD.

Then click "Certificates & secrets" tab, new client secret. Copy the client secret to your notepad.

Then add the permission to the registered app, do it with the steps in below screenshots.

Please do not forget click "Grant admin consent for xxx" after add the permissions to registered app.

After that, you can use the code below in your function to get AD group:

$username = "{client id/application id}"
$password = "{client secret}"
$secureStringPwd = $password | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $secureStringPwd
Connect-AzAccount -Credential $Credential -Tenant "{tenant id}" -ServicePrincipal

$group = Get-AzADGroup -DisplayName "huryGroup"

For the params in above commands, you can find the client id/application id and tenant id on the "Overview" page of your registered app.