Get-AzADGroupMember no longer returns service principals

[sopelt]

Description

In versions prior to 7 Get-AzADGroupMember returned all members (users, groups, service principals) of a group. Starting with 7 it moved from the legacy graph.windows.net to microsoft graph.
This seems to be caused by a limitation that is briefly mentioned in the documentation of the REST API:

Currently service principals are not listed as group members due to staged roll-out of service principals on Graph V1.0 endpoint.

This change breaks existing powershell code in a dangerous way as there are no errors/warnings but just empty/partial results that can cause wrong turns in the subsequent logic/flow.

The provided debug output only reflects the group member with "objectType": "User" but the entries with "objectType": "ServicePrincipal" are missing.

I also opened https://github.com/microsoftgraph/microsoft-graph-docs-contrib/issues/2630 to get more information and maybe trigger a short-term documentation improvement.

Kind regards,
Simon

Issue script & Debug output

Get-AzADGroupMember -GroupObjectId bf6d497d-7119-4fc0-98bc-2b0da792f3da

DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: Client side pagination is enabled for this cmdlet
DEBUG: [CmdletProcessRecordAsyncStart]: Created new QosEvent for command 'Get-AzADGroupMember_List'
DEBUG: CmdletProcessRecordAsyncStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /groups/bf6d497d-7119-4fc0-98bc-2b0da792f3da/members
DEBUG: RequestCreated: /v1.0/groups/bf6d497d-7119-4fc0-98bc-2b0da792f3da/members
DEBUG: HeaderParametersAdded:
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://graph.microsoft.com/v1.0/groups/bf6d497d-7119-4fc0-98bc-2b0da792f3da/members
Headers:
ConsistencyLevel              : eventual
x-ms-unique-id                : 9
x-ms-client-request-id        : 3769ff66-caba-4446-8550-217ef4a51e74
CommandName                   : MSGraph.internal\Get-AzADGroupMember
FullCommandName               : Get-AzADGroupMember_List
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v0.0.0,PSVersion/v5.1.19041.1320,Az.Resources/0.0.0
Body:
DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Transfer-Encoding             : chunked
Strict-Transport-Security     : max-age=31536000
request-id                    : 55326af0-0266-406c-8a70-cea7446d4104
client-request-id             : 55326af0-0266-406c-8a70-cea7446d4104
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West
Europe","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"AM2PEPF0000B276"}}
x-ms-resource-unit            : 3
OData-Version                 : 4.0
Cache-Control                 : no-cache
Date                          : Thu, 23 Dec 2021 09:47:14 GMT
Body:
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
  "value": [
    {
      "@odata.type": "#microsoft.graph.user",
      "id": "REDACTED",
      "businessPhones": [
        "REDACTED"
      ],
      "displayName": "REDACTED",
      "givenName": "REDACTED",
      "jobTitle": null,
      "mail": "REDACTED",
      "mobilePhone": "REDACTED",
      "officeLocation": null,
      "preferredLanguage": "REDACTED",
      "surname": "REDACTED",
      "userPrincipalName": "REDACTED"
    }
  ]
}
DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent: Module: Az.Resources:0.0.0; CommandName: Get-AzADGroupMember_List; PSVersion: 5.1.19041.1320;
IsSuccess: True; Duration: 00:00:00
DEBUG: Finish sending metric.
DEBUG: CmdletEndProcessing:
DisplayName Id                                   OdataType
----------- --                                   ---------
REDACTED REDACTED #microsoft.graph.user

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.19041.1320
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.1320
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     2.7.0      Az.Accounts                         {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Conn...
Script     5.1.0      Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDeny...

Error output

WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use
`Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other
information on breaking changes in Azure PowerShell.
The Azure PowerShell team is listening, please let us know how we are doing: https://aka.ms/azpssurvey?Q_CHL=ERROR.

[dingmeng-xue]

Thanks for the information. We need to update the documentation accordingly.
@VeryEarly , please look into it.

[VeryEarly]

Hi Simon@sopelt

Thanks for reporting this issue, I have created PR to improve doc from Azure-PowerShell. This will be present in official doc early next month.

[dcaro]

@VeryEarly @mikefrobbins we need to also add this in the migration guide.

[chris5287]

This has just tripped us up on existing deployment scripts, what is the ETA of the staged rollout that will mean they will returned in the results again?

[krispenner]

@dcaro This has also broken our Azure DevOps deployment scripts that required service principals to be returned in the list. Can you provide any alternative workarounds until this is fixed?

[dcaro]

@krispenner we are working on providing a workaround in our official docs using the Invoke-AzRestMethod.

[JsAndDotNet]

Just to add weight to this, it's breaking our scripts too. Have subscribed in hope of finding a resolution.

[mikefrobbins]

As a workaround, Invoke-AzRestMethod can be used with the beta version of the Microsoft Graph API.

The following example requires the Az PowerShell module. Replace myGroupName in the first line with the name of your group.

$Group = Get-AzADGroup -DisplayName myGroupName
((Invoke-AzRestMethod -Uri "https://graph.microsoft.com/beta/groups/$($Group.id)/members").Content |
  ConvertFrom-Json).value |
  Select-Object -Property DisplayName, Id, @{label='OdataType';expression={$_.'@odata.type'}}

[krispenner]

@mikefrobbins thank you, your workaround is working for us. Is there any plan to fix Get-AzADGroupMember to behave as it did previously?

[dcaro]

Once the rollout has been completed by Microsoft Graph the cmdlet behavior will be addressed.
In the meantime, we are exploring the possibility of having a preview module that would use the beta version of the API.

[chris5287]

Is there an ETA for the MS Graph rollout?

[bergmeister]

@wyunchi-ms I don't agree with this issue being closed just because docs have been updated with this current limitation, at the minimum I want another tracking issue because calling the graph api is significantly slower

[dingmeng-xue]

Report it because issue was closed automatically due to linked PR was merged.