Azure AD: Security Groups

Summary

This module contains actions for managing Security Groups in Azure AD.

Mail-Enabled Groups

Unfortunately the Microsoft Graph API does not support creating or updating mail-enabled groups.

These groups can be audited & added to others, but they cannot be created or updated using this plugin.

See here for more information.

Actions

azure_ad.security_groups.

add_member

Add a member to a security group.

Members can be Users or SecurityGroups.

If the member is already in the group, nothing will be modified & the action will succeed.

Minimum Plugin Version: 1.0.0

Required API Permissions

Input

• client: an AzureClient

• group_id: a SecurityGroup ID

• member_id: a User or SecurityGroup ID

Supported Group & Member Types

You cannot add Unified groups to Security groups.

The Microsoft Graph API does not support adding users to:

• Mail-Enabled Security Groups

• Distribution Groups

Output

Nothing is outputted by this action.

Example

- azure_ad.security_groups.add_member:
  load:
    group_id: selected_group.id
    member_id: selected_user.id
    client: azure_client

azure_ad.security_groups.

create

Create a security group.

Minimum Plugin Version: 1.0.0

Required API Permissions

Mail-Enabled Security Groups

This action does not support mail-enabled security groups.

See here for more information.

Input

• client: an AzureClient

• display_name: a display name for the group

• description: optional group description (defaults to empty)

• owners: optional list of User IDs if setting owners (defaults to no owners)

• users: optional list of User IDs to add as members

• groups: optional list of SecurityGroup IDs to add as members

Supplying Groups as Members

You cannot add Unified (Microsoft 365) groups to Security groups.

Output

Nothing is outputted by this action.

Example

- azure_ad.security_groups.create:
    display_name: Example Group
    description: This is an example description
  load:
    client: azure_client

azure_ad.security_groups.

delete

Delete a security group.

Minimum Plugin Version: 1.0.0

Required API Permissions

Mail-Enabled Security Groups

This action does not support mail-enabled security groups.

See here for more information.

Input

• client: an AzureClient

• group_id: a SecurityGroup ID

Output

Nothing is outputted by this action.

Example

- azure_ad.security_groups.delete:
  load:
    group_id: selected_group.id
    client: azure_client

azure_ad.security_groups.

display

Display groups in a table.

The table will have the following columns:

• Display Name
• Description

Minimum Plugin Version: 1.0.0

Input

• text: the title of the table

• groups: any number of SecurityGroups

Output

Nothing is outputted by this action.

Example

- azure_ad.security_groups.get_all:
  load:
    client: azure_client
  save: groups

- azure_ad.security_groups.display:
    text: All Groups
  load:
    groups: groups

azure_ad.security_groups.

get_all

Get all security groups.

Minimum Plugin Version: 1.0.0

Required API Permissions

Input

• client: an AzureClient

Output

A list of SecurityGroups.

Example

- azure_ad.security_groups.get_all:
  load:
    client: azure_client
  save: groups

azure_ad.security_groups.

get_by_display_name

Get all security groups with the supplied display name.

Display names are not unique, so this action always outputs a list of security groups.

Minimum Plugin Version: 1.0.0

Required API Permissions

Input

• client: an AzureClient

• display_name: the SecurityGroup display name

Output

A list of SecurityGroups.

Example

- azure_ad.security_groups.get_by_display_name:
  load:
    display_name: group.display_name
    client: azure_client
  save: search_result

azure_ad.security_groups.

get_by_id

Get the group with the supplied group ID.

Minimum Plugin Version: 1.0.0

Required API Permissions

Input

• client: an AzureClient

• group_id: the SecurityGroup ID

Output

A single SecurityGroup.

Example

- azure_ad.security_groups.get_by_id:
  load:
    group_id: group.id
    client: azure_client
  save: group

azure_ad.security_groups.

get_groups

Get security groups directly in the supplied group.

Minimum Plugin Version: 1.0.0

Required API Permissions

Input

• client: an AzureClient

• group_id: a SecurityGroup ID

Output

A list of SecurityGroups.

Example

- azure_ad.security_groups.get_groups:
  load:
    group_id: selected_group.id
    client: azure_client
  save: groups

azure_ad.security_groups.

get_interactive

Allow the task operator to search for & select a Security Group interactively.

Minimum Plugin Version: 1.1.0

Input

• client: an AzureClient

Output

A single Security Group.

Automatic Wildcards

When using this action all provided search terms will have a wildcard appended.

Example

- azure_ad.security_groups.get_interactive:
  load:
    client: azure_client
  save: group

azure_ad.security_groups.

get_users

Get users directly in the supplied group.

Minimum Plugin Version: 1.0.0

Required API Permissions

Input

• client: an AzureClient

• group_id: a SecurityGroup ID

Output

A list of Users.

Example

- azure_ad.security_groups.get_users:
  load:
    group_id: selected_group.id
    client: azure_client
  save: users

azure_ad.security_groups.

remove_member

Remove a member from a group.

Members can be Users or SecurityGroups.

If the member is not already in the group, nothing will be modified & the action will succeed.

Minimum Plugin Version: 1.0.0

Required API Permissions

Input

• client: an AzureClient

• group_id: a SecurityGroup ID

• member_id: a User or SecurityGroup ID

Output

Nothing is outputted by this action.

Example

- azure_ad.security_groups.remove_member:
  load:
    group_id: selected_group.id
    member_id: selected_user.id
    client: azure_client

azure_ad.security_groups.

select

Display groups in a table & prompt the task operator to make a selection.

The table will have the following columns:

• Display Name
• Description

Minimum Plugin Version: 1.0.0

Input

• text: the title of the table

• groups: any number of SecurityGroups

• minimum: the minimum number of selections

• maximum: the maximum number of selections

Output

A Selection containing:

• total: the number of selected SecurityGroups

• all: a list of selected SecurityGroups

• first: the first selected SecurityGroups

Example

- azure_ad.security_groups.get_all:
  load:
    client: azure_client
  save: groups

- azure_ad.security_groups.select:
    text: Select Groups
  load:
    groups: groups
  save: selection

azure_ad.security_groups.

select_one

Display groups in a table & prompt the task operator to select one.

The table will have the following columns:

• Display Name
• Description

Minimum Plugin Version: 1.0.0

Input

• text: the title of the table

• groups: any number of SecurityGroups

Output

A single SecurityGroup.

Example

- azure_ad.security_groups.get_all:
  load:
    client: azure_client
  save: groups

- azure_ad.security_groups.select_one:
    text: Select a Group
  load:
    groups: groups
  save: group

azure_ad.security_groups.

update

Update one or more attributes for a security group.

Minimum Plugin Version: 1.0.0

Required API Permissions

Mail-Enabled Security Groups

This action does not support mail-enabled security groups.

See here for more information.

Input

• client: an AzureClient

• group_id: the SecurityGroup ID

• attributes: a dictionary of attribute names & values to set

Valid Attributes

See this Microsoft article for a list of user attributes.

This action will fail if any invalid attributes are supplied.

Output

Nothing is outputted by this action.

Example

- azure_ad.security_groups.update:
    attributes:
      displayName: New Display Name
  load:
    group_id: group.id
    client: azure_client