Hello all! Good day - forgive me ahead of time for I am a total n00b when it comes to Powershell. Essentially, what I am trying to do is take a list of groups (whether that be imported via CSV or through some sort of Get statement) and add or remove a list of Users via the same methods. Theoretically to me it seems as though it should be simple enough. I am using the Remove-AzureADGroupMember in my example. I’ve tried various methods centered around Foreach but I consistently receive errors such as: “Cannot convert ‘System.Object’ to the type ‘System.String’”
Here is an example of something simple I’d try (each CSV has a column with a name and a column with Object ID):
$UserList = Import-Csv -path "C:\temp\users.csv"
$groupList = Import-Csv -path "C:\temp\groups.csv"
Foreach ($user in $UserList) {
$userObject = $UserList.ObjectID
Foreach ($group in $groupList) {
$groupObject = $groupList.ObjectID
}
Remove-AzureADGroupMember -ObjectId $groupObject -MemberId $userObject
}
hi
for removing all groups assigned to a given user I use this
my csv file contains 2 colums one with samaccountName and the other with email.
[pre]
Connect-AzureAD
#read file with users (email address)
$users = import-csv c:\temp\csv\toRemove.csv
$ErrorLog = “c:\temp\groupdeletionErrors.txt”
foreach ($user in $users) {
#check if the user is disabled
$accountEnabled = Get-AzureADUser -ObjectId $user.Email
if(!($accountEnabled.AccountEnabled)) {
#get the users objectID from Azure
$UserObjectID =get-AzureAdUser -objectId $user.Email |select objectID
#grab the clean objectID from the user
$SelectUserObjectID= $userObjectID.objectID
#find all the groups a user is member off
$UserObjectIDGroupMemberShip = get-AzureAdUserMembership -objectID $SelectUserObjectID
$a= $userObjectIDGroupMemberShip.count
$Groupsremoved = 0
$ErrorGroup = 0
foreach ($group in $UserObjectIDGroupMemberShip) {
#remove the user from each indivudual group
try {
Remove-AzureADGroupMember -ObjectId $group.objectID -MemberId $SelectUserObjectID
$Groupsremoved++
}
catch {
#the groups that cannot be removed are safed in the error log
“Error removing $group : $($_)” |Add-content $ErrorLog
#write-host “$errorcount groups could not be removed from $($user.samaccountname)”
$Errorgroup++
}
finally {
#output on screen
}
}
write-host “#####################################################################”
write-host “result for $($user.Email)”
write-host “Total groups Found: $a”
Write-host “Total groups Removed: $Groupsremoved”
Write-host “Total groups not removed: $Errorgroup”
write-host “#####################################################################”
}
Else {
write-host “$($user.Email) cannot be removed at this time”
}
}
[/pre]
Here is the issues with your code:
$UserList = Import-Csv -path "C:\temp\users.csv"
$groupList = Import-Csv -path "C:\temp\groups.csv"
Foreach ($user in $UserList) {
#You are in a loop, $user is the item and
#$UserList is the entire list and you are referencing $UserList.ObjectId
$userObject = $UserList.ObjectID
Foreach ($group in $groupList) {
#Same here, you are in a loop, $group is the item and
#$GroupList is the entire list and you are referencing $GroupList.ObjectId
$groupObject = $groupList.ObjectID
}
#This is located in the user loop, not the group loop, so you would always process the last
#group member of the group because you loop through everything and the last item is set as $groupObject
Remove-AzureADGroupMember -ObjectId $groupObject -MemberId $userObject
}
The error is you are providing an object, not a string. This is due to an implicit loop when you do object.property
PS C:\Users\rasim> $svc = Get-Service | Select -First 5
#This is an implicit loop, $svc is an object and Name is the property
PS C:\Users\rasim> $temp = $svc.Name
#Here you can see that all 5 names are in $temp, making it an array, specifically a string array object:
PS C:\Users\rasim>
$temp.Count
5
Here is corrected code so you can compare to the original:
$UserList = Import-Csv -path "C:\temp\users.csv"
$groupList = Import-Csv -path "C:\temp\groups.csv"
Foreach ($user in $UserList) {
$userObject = $User.ObjectID
Foreach ($group in $groupList) {
$groupObject = $group.ObjectID
Remove-AzureADGroupMember -ObjectId $groupObject -MemberId $userObject
}
}
Thank you both so much - two very helpful and unique responses! Acer I hadn’t even thought of using get-AzureAdUserMembership so that’s a really cool method. And Rob, your reply was exactly what I was looking for - someone to critique what I had done. It was nice to see that I was not too far off from what actually needed to be done!