Exporting entra ID group members (transitivemember) with PowerShell:
Recently, while working with Intune deployments, I was asked to extract devices from a specific group into a CSV format. This task seemed straightforward, but the problem arose when attempting to gather all members, including those within nested groups.
While the Intune or Entra ID portal offers a convenient option to export members using direct members, bulk operations, and a simple click on "Download members," it falls short when it comes to exporting devices associated with nested groups. This limitation spurred the exploration of alternative methods, leading to the discovery of PowerShell as a powerful solution.
The following screenshot shows how you can download the direct members using the Entra ID or intune console.
If you want to download all members using the console, there is no download members available.
Exporting Members with PowerShell
Unlike the portal's constraints, PowerShell enables us to extract comprehensive device details not available through direct member downloads. Leveraging the Microsoft Graph command Get-MgGroupTransitiveMember, part of the "Microsoft.Graph.Groups" module, we gain access to an array of device information crucial for deployment scenarios.
Before diving into the script execution, ensure that the executing account have the necessary graph permissions, primarily read access. Without adequate permissions, Graph may restrict access, hindering the script's functionality.
For more information about the Powershell command and module, please refer https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.groups/get-mggroup?view=graph-powershell-1.0
Script Overview
The script's functionality extends beyond the portal's limitations, empowering users to export both direct and nested group members effortlessly. Here's a concise breakdown of its operation:
- Module Validation: The script verifies the presence of the Entra ID groups module and installs it if absent, ensuring seamless execution.
- Graph API Connection: Establishing a connection to the Microsoft Graph API with requisite permissions is vital for accessing Entra ID group data.
- User Input: User is prompted to input the Entra ID group name, facilitating targeted member extraction.
- Data Extraction: Upon validation, the script retrieves the group's ID and exports member details to a CSV file. This file encompasses crucial device information such as name, operating system, creation date, registration date, last sign-in date, and device ID.
The script is uploaded to Github repository for download.
Screenshots of the script execution and output data.
Output:
Conclusion
In summary, PowerShell serves as a robust tool for circumventing portal limitations and extracting comprehensive device data for deployment purposes. By leveraging the Get-MgGroupTransitiveMember command, users can streamline Intune deployments and fulfill requests for exporting all devices associated with Entra ID groups.
Reference article:
Get-MgGroupTransitiveMember (Microsoft.Graph.Groups) | Microsoft Learn