Corrections to group check in MDOThreatPolicyChecker.ps1

[rosspa05]

Incorrect lookup in groups as only one group was being checked instead of all groups. Also retrieved all members of group.

Issue:
Group-based policy evaluation could produce incorrect results by (1) failing to retrieve all members of large groups and (2) stopping evaluation after the first non‑matching group, even when additional groups were configured.

Reason:
Microsoft Graph paginates group members by default, and the script did not request all pages. Additionally, break statements on negative group‑membership checks prematurely exited the loop, preventing evaluation of subsequent groups. This caused false negatives for users who were members of later groups or large groups.

Fix:
Updated the group member retrieval to use -All so all group members are evaluated, and removed premature 2 break statements following negative group‑membership checks so all configured groups are evaluated correctly, matching MDO/EOP OR‑based group semantics.

Validation:
Tested fixed code in my test tenant and it corrects the issues and I found no other issues

[rosspa05]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[Copilot]

Pull request overview

This PR fixes group-based policy evaluation in MDOThreatPolicyChecker.ps1 so that group membership is evaluated correctly across all configured groups and for large groups where Microsoft Graph pagination previously caused incomplete member retrieval.

Changes:

• Retrieve all group members from Microsoft Graph by adding -All to Get-MgGroupMember to avoid pagination-related false negatives.
• Remove two premature break statements so evaluation continues across all configured groups (OR semantics).

Comments suppressed due to low confidence (1)

M365/MDO/MDOThreatPolicyChecker.ps1:209

• Using Get-MgGroupMember -All makes Test-IsInGroup enumerate the entire group, and the current implementation then calls Get-MgUser for each user member to compare Mail. For large groups (the scenario this PR targets), this can result in thousands of Graph calls, making the script very slow and prone to throttling/timeouts. A more scalable approach is to resolve the target user’s object id once and use a membership check endpoint/cmdlet (or a transitive-members query) that avoids per-member Get-MgUser calls.

            $groupMembers = Get-MgGroupMember -GroupId $GroupObjectId -All -ErrorAction Stop
        } catch {
            Write-Host "Error getting group members for $GroupObjectId`:`n$_" -ForegroundColor Red
            return $null
        }

        # Check if the email address is in the group
        if ($null -ne $groupMembers) {
            foreach ($member in $groupMembers) {
                # Check if the member is a user
                if ($member['@odata.type'] -eq '#microsoft.graph.user') {
                    if ($member.Id) {
                        # Get the user object by Id
                        Write-Verbose "Getting user with Id $($member.Id)"
                        try {
                            $user = Get-MgUser -UserId $member.Id -ErrorAction Stop

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[rosspa05]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).