如何将 AD 组与 Azure AD 组进行比较，如果不同则删除成员

Question

i would like to compare 2 groups and removes members from Azure AD Group if its different, but im having an error. Can someone tell me what im doing wrong?

$membersofAzureADGroup = Get-AzureADGroup -Searchstring Test_Group | Get-AzureADGroupmember | Select Userprincipalname

$membersofADGroup = Get-ADGroupmember "Groupe_A" | Get-ADUser -properties Userprincipalname | Select UserPrincipalName

$RemoveUsers = Compare-Object -ReferenceObject $membersofAzureADGroup -DifferenceObject $membersofADGroup -PassThru | Where SideIndicator -eq "<="

Remove-AzureADGroupMember $RemoveUsers -Members $membersofAzureADGroup

Remove-AzureADGroupMember: Cannot find a positional parameter that accepts the argument "@{UserPrincipalName=user@domain.com;SideIndicator=<=}"

I tried this below but still not working...

Remove-AzureADGroupMember $RemoveUsers -MemberID (Get-AzureADUser | where {$_.Userprincipalname -eq $MembersOfGroup1}).ObjectID

Answer 1

I don't have AD or Azure AD, but I followed the principles of your issue and tested the following locally on my computer. See Below

Why you fail is because your $RemoveUsers variable is wrong. I'd be surprised if you've not looked at what is being presented from it.

Why It Doesn't Work

$RemoveUsers = Compare-Object -ReferenceObject $membersofAzureADGroup -DifferenceObject $membersofADGroup -PassThru | Where SideIndicator -eq "<="

Compare Groups On A Local Computer Test

## Step 1 - Place both groups into variables
$Group1 = get-localgroup -Name Administrators | Get-LocalGroupMember | Select Name
$Group2 = get-localgroup -Name Test | Get-LocalGroupMember | Select Name
## Step 2 - See All Output 
$compare = Compare-Object -ReferenceObject $Group1 -DifferenceObject $Group2 -property name -passthru -IncludeEqual
## Step 3 See Only Difference in reference (source) object and select InputObject
$DifferenceInSource = (Compare-Object -ReferenceObject $Group1 -DifferenceObject $Group2 | Where SideIndicator -eq "<=" | Select -ExpandProperty InputObject)
## Step 4 Pull Out Names
$DifferenceInSourceName = $DifferenceInSource.Name
## Split WorkGroup and Account
$SplitName = $DifferenceInSourceName.Split('\')
## Step 5 Test To See If Account Resolves
Get-LocalUser -name $SplitName[1]

Obviously you then structure around a ForEach statement to make the update on multiple references.

Answer 2

Removing users that are members of an Azure AD Group but are not a member of an Active Directory Group would require filtering and for that you definitely not need Compare-Object .

Since you're trying to find elements of an array that do not exist on another array, Where-Object or .Where(..) method should be more than enough.

$ErrorActionPreference = 'Stop'

$azGName = 'Test_Group'
$adGName = 'Test_Group'

$azGroup = Get-AzureADGroup -Searchstring $azGName
$azMembers = Get-AzureADGroupmember $azGroup
$adMembers = (Get-ADGroupMember $adGName).Where({
    $_.ObjectClass -eq 'user'
}).UserPrincipalName
# NOTE: Piping Get-ADUser to Get-ADGroupMember will get in trouble whenever
#       there is a member that is not of the objectclass 'user'.

# Members of AZ Group that are not members of AD Group
$azMembers.Where({$_ -notin $adMembers.UserPrincipalName}).ForEach({
    "Removing $_ from $azGName"
    try
    {
        Remove-AzureADGroupMember -ObjectId $azGroup.ObjectId -MemberId $_.ObjectId
    }
    catch
    {
        Write-Warning $_.Exception
    }
})