MS Graph for Aliens

If somebody would have to build the users and groups of the whole galaxy into a single AzureAD, group memberships would play a big role. For an alien it would then be easy to understand who is member of what part of the galaxy. Lets take a little – not too serious – example:

How Aliens look into the Galaxy via a REST-API

Left hand is the Alien, using the MS Graph REST-API and has at least read-access to the Azure AD (by some Application with the Global-Reader role assigned).

Righ-hand-side is the Galaxy with its president Zaphod. Solaris (our system) has a lot of members, for example we take Venus, a person on the Venus planet. And finally there is Earth with one person we picked out called Arthur.

How this structure is build into the Galaxies AzureAD.

First we have the „Galaxy“ group with Zaphod and the „Solaris“ group as member.

Next we have the Solaris group with Venus and Earth as members.

And pretty much the same way Earth, and Arthur.

And now lets play Alien and query the galaxy!

Our Alien uses PowerShell, and frankly i sometimes feel like an alien using PowerShell, as many admins still click around in the GUI ;-).

But first leks create an Access Token and an authorization header.

Ok, now we have a header with a proper token and access to the Graph API. Now lets define the object-IDss for our galaxy-objects (you get them from the Azure Portal ==> Groups ==> Object ID, same for users.

Is Arthur from Earth ?

Now comes the fun part. We use the „checkMemberGroups“ path from the MS Graph API to find out if Arthur is from earth (maybe something really interesting for Vogons …;-))

If Arthur is a member, the API returns the groups object-id, which we can then compare and make a simple output via If/else.

For Arthur this emits „is member of …“

Is Venus from Earth ?

Guys and girls, especially all which are in a long-term relationship, we all know the answer …

… not found … so true 🙁

Is Arthur part of the Galaxy ?

Yep, thats the really interesting question and the reason why we do nested groups. Arthur is part of Earth, Solaris and the Galaxy as a whole.

And – without question -he is !

Ask for multiple group memberships

To analyze where the group memberships breaks, the REST-API allows us to ship muliple group-ID´s and as for membership. Lets try this for venus.

Summary

Nested groups are great and the MS-Graph API allows us to query group membership easily. Hope that helps you in some way!

Roman

Photo by Jeremy Thomas on Unsplash for the headure picture!