Get transitive members

wipash · wipash · commit 49941b7de300 · 2022-07-14T13:29:51.000+12:00
diff --git a/README.md b/README.md
@@ -69,7 +69,8 @@ The following can be useful if you have multple Azure ADs or limitations in scop
 | AADGroupScopingConfig       | 2         | Additional info required to determine groups (filter etc.)  | id eq '<objectid>'                  |
 | GroupDeprovisioningMethod   | Yes       | Determines what to do when source AAD group is deleted      | Delete / ConvertToDistributionGroup / PrintWarning / DoNothing |
 | ADGroupNamePattern          | No        | Format string for AD group name, {0} = displayName from AAD, {1} = objectId from AAD, {2} = mailNickname from AAD | {0} ({1}) |
-| Environment			| No        | Azure Environment (default to AzurePublic)                  | AzureCloud / AzureUSGovernment	    |
+| Environment                 | No        | Azure Environment (default to AzurePublic)                  | AzureCloud / AzureUSGovernment	    |
+| TransitiveMembers           | No        | Retrieves a flat list of members from all child groups of the AAD group | true                    |
 
 1. If AuthenticationMethod is ClientCredentials
 2. If AADGroupScopingMethod is GroupMemberOfGroup or AADGroupScopingConfig
@@ -193,4 +194,4 @@ PAM bastion forest support using the AD optional feature for PAM and msDS-Shadow
 ```
 $of = get-ADOptionalFeature -filter "name -eq 'privileged access management feature'"
 Enable-ADOptionalFeature $of -scope ForestOrConfigurationSet -target ((Get-ADForest).RootDomain)
-```
+```
diff --git a/Run.ps1 b/Run.ps1
@@ -95,8 +95,12 @@ $ErrorActionPreference = "Continue" # No need to fail hard anymore. This reduces
 Write-Verbose "Processing all memberships"
 Foreach($ScopedGroup in $ScopedGroups) {
     Write-Verbose " - Processing group '$($ScopedGroup.displayName)' ($($ScopedGroup.id))"
-    $Members = Get-GraphRequestRecursive -Url "$($graphEndpoints.GraphUrl)/v1.0/groups/$($ScopedGroup.id)/members?`$select=id,userType,displayName,userPrincipalName,onPremisesDistinguishedName,onPremisesImmutableId" -AccessToken $AccessToken
-    
+    if ($Config.TransitiveMembers -eq 'true') {
+        $Members = Get-GraphRequestRecursive -Url "$($graphEndpoints.GraphUrl)/v1.0/groups/$($ScopedGroup.id)/transitiveMembers/microsoft.graph.user?`$count=true&`$select=id,userType,displayName,userPrincipalName,onPremisesDistinguishedName,onPremisesImmutableId" -AccessToken $AccessToken -AdditionalHeaders @{ConsistencyLevel = 'eventual' }
+    } else {
+        $Members = Get-GraphRequestRecursive -Url "$($graphEndpoints.GraphUrl)/v1.0/groups/$($ScopedGroup.id)/members?`$select=id,userType,displayName,userPrincipalName,onPremisesDistinguishedName,onPremisesImmutableId" -AccessToken $AccessToken
+    }
+
     # Get all onPremisesDistinguishedName values from AAD, which should be our correct list
     $ExpectedADMembers = $Members | 
         Where-Object onPremisesDistinguishedName | 
