The Get-AzureADGroup command comes with a filtering function just like, e.g., Get-ADGroup.
But if you’re expecting the power of the Get-ADGroup LdapFilter switch or the PowerShell expression language Filter switch, then you’re in for a sad surprise…
The Get-AzureADGroup filter is overly complex and lacks a lot of functionality.
Unfortunately, in most cases, your better option is to retrieve all user accounts and perform the filtering locally.
The below sections will demonstrate some uses of the Get-AzureADGroup Filter options.
To bring an end to the constant googling for PowerShell commands altogether, have a look at Easy365Manager:
Easy365Manager is a snap-in to Active Directory Users & Computers that consolidates Office 365 and Active Directory management.
With Easy365Manager, you can perform all daily Office 365 management directly from AD – even tasks that would typically require PowerShell, like the configuration of calendar permissions, as seen in the above example.
Review the complete Easy365Manager feature list here.
Get-AzureADGroup Filter Operators
The Filter switch of the Get-AzureADGroup command builds on oData v3.0 filtering.
This is contrary to the PowerShell expression language filter used by Get-ADGroup -Filter, which again is different from the very basis Get-MsolGroup -SearchString filter option.
For every new development team at Microsoft, there seems to be a new strategy… 🙄
The following details the basic operators available to Get-AzureADGroup filtering:
| Operator | Meaning | Sample expression |
|---|---|---|
| eq | Equal to | DisplayName eq ‘Tycho Brahe’ |
| and | And | Country eq ‘Germany’ and Department eq ‘Marketing’ |
| or | Or | Country eq ‘Germany’ or Country eq ‘France’ |
Notice that the Like filter is not available – it’s impossible to search substrings in Azure AD group attributes, which makes the use cases very limited. The same goes for the Not filter and many more.
The only type of wildcard search available is the ‘startswith’ filter.
Additionally, it’s possible to search the values of multivalue attributes using the ‘any’ filter.
Get-AzureADGroup Filter Examples
Below you’ll find some basic examples of the Get-AzureADGroup filter syntax.
Get-AzureADGroup -Filter "DisplayName eq 'Marketing'"Get-AzureADGroup -Filter "DisplayName eq 'Marketing' or DisplayName eq 'Sales'"Get-AzureADGroup -Filter "startswith(displayName,'Sales')"Get-AzureADGroup -Filter "proxyAddresses/any(p:startswith(p,'smtp:marketing'))"But as mentioned at the beginning of the article:
The use cases of the Get-AzureADGroup Filter parameter are very limited. In most cases, you’re forced to retrieve all groups and perform the filtering locally, using the PowerShell expression language filter, e.g.:
Get-AzureADGroup -All $true | Where-Object {$_.DisplayName -like "*US*"}Get-AzureADGroup -All $true | Where-Object {$_.ProxyAddresses -like "*easy365manager.com"}Although this approach may perform badly in large environments, it offers a lot more options and flexibility.