Re: Getting a users AAD group memberships

AlisterT · ‎10-28-2019

Hi All,

I have an AAD group which stores all my Office 365 users. I am trying to use flow to check if a user is a member of a certain group. I have the users GUID and the groups GUID.

My first attempt involved using 'Get Group Members' Action, but I quickly back-tracked on this given my group is well over the top 999 limit of items which will be returned.

I have now tried to use 'Get Groups of a User'. I run a switch statement to check for 2 group GUIDS and set a variable to true if the user is a member of either group. The variable is initailised as false. The problem I am having is I keep getting false positives because 1 of the group GUIDs I am looking for, in AAD, is nested inside a group which contains all the users in my organization.

I have asked my administrators to remove the nested group, but they are reluctant.. Fearing 'unforseen circumstances'.

I have tried nesting the group I am looking for in a group which has no direct members and checking for that groups GUID, but again a false positive is returned.

I am hoping somone can help me figure out how to check if the user is a direct member of the groups I am searching for and not inheriting it from the group which holds all users.

I know this is hard to explain and I might not have done a very good job, here is my group setup

Group1

All users are a member of this group
Group2 (the first GUID I am looking for) is a member of this group

Group3

No issues checking this group

I would much appreciate and assistance.

Thanks in advance,

v-bacao-msft · ‎10-28-2019

Hi @AlisterT ,

Have you tried to use Add user to group action?

If the specified user is already a member of the specified group, the action should fail. You only need to use configure run after to determine if the action failed.

https://flow.microsoft.com/en-us/blog/error-handling/

Best Regards,

Community Support Team _ Barry
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Jcook · ‎10-28-2019

That is genius, definitely going to do that instead of my huge conditional statements haha

Did I answer your question? Mark my post as a solution!

If you like my post please hit the Thumbs Up

Proud to be a Flownaut!

Check out my blog for Power Automate tips,
tricks, and guides
FlowAltDelete

Follow@FlowAltDelete

AlisterT · ‎11-01-2019

Hi v-bacao,

Thanks for this. It sounds promising! I just wanted to let you know I have read this suggestion, I don't think I would have thought to try that so thank you.
I haven't been able to try it yet but once I do I will report back here 🙂

Thanks again

AlisterT · ‎11-02-2019

Hi v-bacao,

I have tried this and unfortunately, it didn't work for me. I'm sure it would work for most people though. The reason it didn't work for me is because group 2 in my original post is Primary in on-premise AD and sync'd to AAD so the 'Add user to a group' action fails with a bad request error. I realize I failed to mention this fact in my original post. Sorry about that!

If you're interested, the bad request error detail is:

Unable to update the specified properties for on-premises mastered Directory Sync objects