Add group members to another tenant via Azure AD B2B and PowerShell

I needed to add members of a number of groups from one Azure AD tenant to a group in another Azure AD tenant that would then be given access to a resource. The goal was to not require the users added to have to redeem the invite which is common when adding a B2B user. To do this the first step was a user invited via B2B the normal way, that user redeemed the invite and in this case was then made a global admin (although another option would have been to enable guests to invite guests). The key point was this user had the ability to invite people via B2B and could enumerate users in the invited Azure AD instance which would mean invites would not have to be redeemed.

My first version of the script was very simply however I soon realized I would have to rerun the script to add new users and so I enhanced it to extract the current members of the group, convert to regular email format (since when invite to Azure AD the users have @ replaced with _ and is put in a string with various components separated by a #). The script therefore extracts the first part and converts the _ back to a @. Then looks for only for people who are not already members.

In the script below replace the group names, Azure AD names and IDs to meet your requirements.

Import-Module AzureAD

$OneMTCTenantName = "sourceten.net"
$OneMTCTenantID = "ID1"
$OPCTenantName = "targetten.net"
$OPCTenantID = "ID2"

$AADGroupsToEnumerate = "SourceGroup1","SourceGroup2","SourceGroup3"
$AllMTCTeam = @()
$MTCTeamGroupName = "TargetGroup"

Connect-AzureAD -TenantId $OneMTCTenantID

foreach($AADGroupName in $AADGroupsToEnumerate)
{
    $AADGroup =Get-AzureADGroup -Filter "DisplayName eq '$AADGroupName'"
    $AADPeople = Get-AzureADGroupMember -ObjectId $AADGroup.ObjectId -All $true
    $AllMTCTeam += $AADPeople
}

Connect-AzureAD -TenantId $OPCTenantID

#$OPCOneMTCGroup = New-AzureADGroup -DisplayName $MTCTeamGroupName -Description "All members of the global OneMTC organization" `
#    -SecurityEnabled $true -MailEnabled $false -MailNickName "$MTCTeamGroupName"

$OPCOneMTCGroup = Get-AzureADGroup -SearchString "$MTCTeamGroupName" 

$OPCUsers = Get-AzureADUser -Filter "userType eq 'Guest'" -All $true | Select-Object -ExpandProperty UserPrincipalName
$OPCCleanUsers = @()
foreach($OPCUser in $OPCUsers)
{
    #Clean up to a real email address
    $tempemail = ($OPCUser.Split("#"))[0].Replace('_','@')
    #Write-Output "Converting $OPCUser to $tempemail"
    $OPCCleanUsers += $tempemail
}

foreach($MTCTeamMember in $AllMTCTeam)
{
    #Check if already a guest
    if($OPCCleanUsers -Contains $MTCTeamMember.UserPrincipalName)
    {
        Write-Output "User $($MTCTeamMember.UserPrincipalName) already added"
    }
    else
    {
        Write-Output "Adding $($MTCTeamMember.UserPrincipalName)"
        $AADB2BAdd = New-AzureADMSInvitation -InvitedUserEmailAddress "$($MTCTeamMember.UserPrincipalName)" -SendInvitationMessage $false `
            -InviteRedirectUrl "http://myapps.microsoft.com"
        Add-AzureADGroupMember -ObjectId $OPCOneMTCGroup.ObjectId -RefObjectId $AADB2BAdd.InvitedUser.Id
    }
}

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: