Get all users of an Azure AD Group and add them to another one – Powershell

The following script will get all the members of an Azure AD group and add them to another group. You’ll just need to know the name of the two groups to make it work.

In the code shown below, the source group will be called Group1Name and the destination one Group2Name.

# Replace Group1Name with the name of your source group and Group2Name with the name of the destination one. Everything else will be done automatically

$Group1 = "Group1Name"
$Group2 = "Group2Name"


$group1ObjectID = Get-AzureADGroup -Filter "Displayname eq '$group1'" | Select objectid -ExpandProperty ObjectID
$group2ObjectID = Get-AzureADGroup -Filter "Displayname eq '$group2'" | Select objectid -ExpandProperty ObjectID

$membersGroup1 = Get-AzureADGroupMember -ObjectId $group1ObjectID -All $true

foreach($member in $membersGroup1)
{
    $currentuser = Get-AzureADUser -ObjectId $member.ObjectId | select objectid
    Add-AzureADGroupMember -ObjectId $group2ObjectID -RefObjectId $currentuser.objectid

}
Get-AzureADGroupMember -ObjectId $group2ObjectID -All $true

Enable Unified Audit Logs – Office 365

Unified Audit Log is one of the essential features for tracking down every action done across the tenant.

The logs are kept for 90 days by default, but you can extend them using special addons.

If you want to check whether the logging is enabled on your tenant, connect to Exchange Online with PowerShell. Once connected, you can check the status.

Install-Module ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName yourupn@domain.com
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

If you get “True” as a result, the logging is enabled. If you get “False”, follow the steps below to enable it:

PowerShell way:

Using the PS tab, you opened before to check the Audit Log status, send the following command:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

You might be asked to run “Enable-OrganizationCustomization” before relaunching the command. You must wait 30 to 60 minutes after sending “Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true” to see it enabled in the portal.

Portal way:

Go to https://compliance.microsoft.com/, then click on “Audit” on the left pane. When you get to the page, click on “Start recording user and admin activity“, then check the status after 30-60 minutes. If it fails, try with PowerShell.

Disconnect a user session in Azure Virtual Desktop (AVD) – PowerShell

Prerequisites: The Microsoft.RDInfra.RDPowerShell module, the Az PS module

First, install the RDInfra module:

Install-Module -Name Microsoft.RDInfra.RDPowerShell; Import-Module -Name Microsoft.RDInfra.RDPowerShell

Then proceed by installing the Az module and logging in:

Connect-AzAccount

Once you are logged in you can run the following script to disconnect a specific user session:

Get-RdsUserSession -TenantName "tenantname.onmicrosoft.com" -HostPoolName "HostPoolName" | where { $_.UserPrincipalName -eq "azvise\demouser" } | Invoke-RdsUserSessionLogoff -NoUserPrompt

Password Hash Synchronization won’t update any user password

If AD Sync won’t update any user password across a domain follow these steps:

  • Open Microsoft Azure Active Directory Connect
  • Click Configure
  • Click Troubleshoot
  • Click Launch
  • In PowerShell type 2 (Enter ‘2’ – Troubleshoot Password Hash Synchronization)
  • Type 1 (Enter ‘1’ – Password Hash Synchronization does NOT work at all)

Usually, the output on your local AD Connector is:

Last successful attempt to synchronize passwords from this directory partition started at: [long time ago]

If this is the case proceed as follows:

  • Open Synchronization Service Manager
  • Click on Connectors
  • Click on your local connector (ex. domain.com)
  • Right-click, then open properties
  • Under Connect to Active Directory Forest insert the password for the user and click ok
  • Run an initial Sync in PowerShell: Start-ADSyncSyncCycle -PolicyType Initial