The other day I was working on a change with a colleague where one Entra ID security group needed to be replaced with another security group in an in-house application. I was asked to make sure the same members of the old group were added to the new group, and that’s a fairly simple task in Entra ID, but there was the need to automate the lifecycle of members of the group. Since I’m using Entra ID Governance entitlement management to add or remove members of the old group, I needed to replace the old group in all the Access Packages with the new group.
It may seem like an easy task, but if you have a lot of Access Packages then it can be difficult to figure out (or remember) which Access Packages a specific Entra ID security group is added to. I decided to create a PowerShell script to find out what Access Packages a specific security group has been added to, since this probably won’t be the last time I need to perform this task. I’ve also decided to create scripts for SharePoint Sites and Applications just in case.
Let me share these PowerShell scripts and how you can use them in your own environment to solve similar challenges.
Pre-requisites:
- Microsoft Graph PowerShell Module
- Permissions: Group.Read.All, EntitlementManagement.Read.All
Locating what Access Packages an Entra ID security group is us
This PowerShell script will first make sure the group actually exists in Entra ID, and if found, it will then use the group’s object ID to find out what Access Packages the group has been added to. The script will output the names of the Access Packages the security group is added to.
By running this PowerShell script, I was able to quickly figure out what Access Packages the group was added to and could then replace it with ease.
Locating what Access Packages a SharePoint Online site is added to
This PowerShell script does exactly what the heading states – it locates what Access Packages a SharePoint Online site is added to. You only need to provide the script with the URL of the SharePoint Online site.
Locating what Access Packages an Application is added to
Finally, here is how to find what Access Packages an application has been added to. You need to provide this PowerShell script with the Application ID, not the Object ID of the Application.
Wrapping up
These three PowerShell scripts are designed to help quickly find what Access Packages different resources have been added to, so that you are able to make adjustments more quickly instead of trying to remember or even consult your own documentation.
Tip: If you want to remove a resource from all the Access Packages it has been added to, you can do so by navigating to Catalog, then selecting Resources, and clicking Remove resource. (Since resources for Access Packages are added to the Catalog of the Access Package before they get added to the Access Package itself)
