目前我正在忙于一个需要执行以下操作的脚本:
该脚本需要检查 Azure AD 组并比较 EXO DG 中的突变。我已经编写并捆绑了一些输入和输出,但我无法使其工作。运行时我没有出现任何错误,但从 SG 组中删除的用户不会从 EXO 中的 DG 中删除。
我为什么要这样做?我有一个未解决的问题,即如何使 Azure AD 安全组启用邮件功能。不幸的是,Azure AD 安全组不能是启用邮件功能的组。
在“New-AzureADMSGroup”或“Set-AzureADMSGroup”上有一个 MailEnabled 对象,但不受支持。
拥有 EXO MSG 也并不能满足需求,因为您不能在 Access 包或企业应用程序中使用此组。
拥有 EXO DDL 也不能满足需求,因为请求的 AAD SG 中的用户没有相同的筛选条件。用户唯一的共同点是 AAD SG 的成员资格。
#Azure AD
$AzureADGroup1 = "xxxxx-xxx-xxxx-xx-xxxxxxx"
$AzureADGroup1Members = Get-AzureADGroupMember -ObjectId $AzureADGroup1 -All $true | Select-Object Mail
#EXO
$DGMembers = (Get-distributiongroupmember -identity [email protected]).primarysmtpaddress
foreach ($AzureADGroup1Member in $AzureADGroup1Members) {
#if users already added returns $false
if (!($DGMembers -match $AzureADGroup1Member))
{
Add-DistributionGroupMember -Identity [email protected] -Member $AzureADGroup1Member.Mail -Confirm:$false -ErrorAction SilentlyContinue
}
Write-Host -ForegroundColor Green $AzureADGroup1Member.Mail"is added"
if (!($DGMembers -notmatch $AzureADGroup1Member))
{
Remove-DistributionGroupMember -Identity [email protected] -Member $AzureADGroup1Member.Mail -Confirm:$false -ErrorAction SilentlyContinue
}
Write-Host -ForegroundColor Green $AzureADGroup1Member.Mail"is removed"
}
更新:我现在又写了另一个脚本,但不是很简洁。
1:从 DG 中删除所有成员
2:从 AAD SG 检索所有成员
3:将所有成员添加回DG
#EXO: Clear DG
$DG = "DG1"
$DGMembers = (Get-distributiongroupmember -identity $DG).PrimarySmtpAddress
foreach ($DGMember in $DGMembers) {
Remove-DistributionGroupMember -Identity $DG -Member $DGMember -Confirm:$false -ErrorAction SilentlyContinue
Write-Host -ForegroundColor Green $DGMember "is removed"
}
#Azure AD: Get AAD SG
$AzureADGroup1 = "xxxx-xxxx-xxx-xxx-xxx"
$AzureADGroup1Members = (Get-AzureADGroupMember -ObjectId $AzureADGroup1 -All $true).Mail
#EXO: Fill up DG again
foreach ($AzureADGroup1Member in $AzureADGroup1Members) {
Add-DistributionGroupMember -Identity $DG -Member $AzureADGroup1Member -Confirm:$false -ErrorAction SilentlyContinue
Write-Host -ForegroundColor Green $AzureADGroup1Member "is added"
}
嗯,这本身不是问题,只是 AAD SG 有 1100 多名成员,我当然可以在每天晚上 1 点运行它,但我担心从长远来看他可能无法在 7 点准备好。
答案1
我为未来的读者回答了我自己的问题。关键是使用 PowerShell 中的 Compare-Object 函数!
#Azure AD: Get AAD SG
$AzureADGroup = "xxx-xxx-xxx-xxx-xxxx"
$AzureADGroupMembers = (Get-AzureADGroupMember -ObjectId $AzureADGroup -All $true).Mail
#EXO: Get EXO DG
$DG = "[email protected]"
$DGMembers = (Get-distributiongroupmember -identity $DG).PrimarySmtpAddress
# SideIndicator: "<=" = NOT IN EXO DG - ADD AAD SG GROUPMEMBER TO EXO DG
Compare-Object -ReferenceObject $AzureADGroupMembers -DifferenceObject $DGMembers | Where-Object {$_.SideIndicator -eq "<="} | ForEach-Object {
Add-DistributionGroupMember -Identity $DG -Member $_.InputObject -Confirm:$false
Write-Host -ForegroundColor Green $_.InputObject "is added"
}
# SideIndicator: "=>" = NOT IN AAD SG - REMOVE EXO DG GROUPMEMBER FROM AAD SG
Compare-Object -ReferenceObject $AzureADGroupMembers -DifferenceObject $DGMembers | Where-Object {$_.SideIndicator -eq "=>"} | ForEach-Object {
Remove-DistributionGroupMember -Identity $DG -Member $_.InputObject -Confirm:$false
Write-Host -ForegroundColor Green $_.InputObject "is removed"
}
Write-Host -ForegroundColor Green "Script is finished!"
您可以使用以下方式一次性填充 DG:
#Azure AD: Get AzureADGroup1 and AzureADGroup1Members
$AzureADGroup1 = "xxxx-xxx-xxxx-xxx"
$AzureADGroup1Members = (Get-AzureADGroupMember -ObjectId $AzureADGroup1 -All $true).Mail
#EXO: Set DistributionGroupMembers from AzureADGroup1Members in AzureADGroup1
foreach ($AzureADGroup1Member in $AzureADGroup1Members) {
Add-DistributionGroupMember -Identity [email protected] -Member $AzureADGroup1Member -Confirm:$false
Write-Host -ForegroundColor Green $AzureADGroup1Member "is added"
}
Write-Host -ForegroundColor Green "Script is finished!"
一次性填充后,您可以执行每天比较两组的自动化任务。