Using a Service Principal to get all Entra ID Group Members into JSON File using a Python Notebook

Sometimes it is useful to get all Group Members into a JSON file so that this could be used for reporting purposes.

Reference Notebook: Get Entra ID Group Members – Power BI

In the steps below I will show you how I did this using a Notebook.

The first part is where I needed to setup and configure the Service Principal Permissions.

The second part is where I am using my Notebook to query and extract the data to a JSON file in my Lakehouse.

Service Principal Permissions

I am using my existing Power BI Service Principal, where I will then add the permissions required to query Entra ID Group and group members.

NOTE: To complete the steps below I had to log in with Admin permissions in Azure to grant the required permissions.

  • I logged into the Azure Portal, then went into my Service Principal permissions.
  • I then clicked on API Permissions.
    • A screenshot of a computer Description automatically generated
  • I then clicked on Add a permission
  • Next, I clicked on Microsoft Graph and selected Delegated permissions
    • A screenshot of a computer Description automatically generated
  • I then selected the following API permissions as shown below.
    • NOTE: You can search for the permissions.
    • A close up of a text Description automatically generated
    • Which were
      • Group.Read.All
      • GroupMember.Read.All
      • User.Read.All
    • A screenshot of a group Description automatically generated
  • I then had to click on the Grant admin consent for fourmoo.com
    • A screenshot of a computer Description automatically generated
  • Once that was completed, I could then see my permissions were successfully granted
    • A screenshot of a computer Description automatically generated

Next, I had to grant permission for my service principal to get the Directory Readers role.

NOTE: If this role is not added the later steps will fail due to not having enough privileges.

  • In Entra ID click on “Role and administrators”
    • A screenshot of a computer Description automatically generated
  • Then search for and select “Directory Readers”
    • A screenshot of a computer Description automatically generated
  • Then click on Add assignments
  • As in my example, when I looked at the list of users I could not see my service principal. I had to search for it as shown below.
    • A screenshot of a computer Description automatically generated
  • I then clicked on Add.
  • Once completed I could then see it in the Directory Readers role
  • A screenshot of a computer Description automatically generated

Python Code to get all group members from all groups

The code below was created by ChatGPT, where I modified it to save the JSON file into my Lakehouse Files section.

I am going to explain the pieces of code I think are important below.

I will also have a link to the notebook where you can download the notebook to run in your own Fabric environment.

Fabric/BLOG – Entra ID All Group Members.ipynb at main · GilbertQue/Fabric (github.com)

  • The first part is where I am getting the credentials from my Key Vault.
  • A screenshot of a computer code Description automatically generated
  • The next code cell there are 2 area’s where you might want to change.
  • LINE 60:
    • Here I wanted to add the jobTitle and companyName attributes from Entra ID so I added them in.
  • LINE 72:
    • This is the location where I wanted to save the JSON file to in my Lakehouse where I created the folder.

This is what it looks like when I run the notebook.

A screenshot of a computer Description automatically generated

Summary

In this blog post I have shown you how to configure your Service Principal so that it will be able to read the Entra ID Group and associated members. You can then download the JSON file to your Lakehouse, which can be later used for reporting or analysis in your Lakehouse or in a Power BI Sematic Model.

Thanks for reading I hope you found this helpful!