IntegrationHub - MS AD Spoke - Distribution Group Permissions

TJ29
Tera Contributor

Hi

I have a flow that processes the removal of AD groups, it is the reverse of another flow we have for providing access to the same AD groups. It checks if you are a member and then removes/adds to the group if required.

I'm having trouble with the 'Is User In Group' action when running against a Distribution Group type. Are there any specific or more granular permissions required to query a group of this type? Journey notes below. The issue with this not working correctly is that it won't run the removal if it reports back that the user is not in the group. We want this check in there so we are only running actions if they need to be.

Security Group Type
Add User To Group - executes fine, user is enrolled into group
Is User In Group - executes fine, reports correct status
04/14/22 11:26:46 (984) Gobbling stdout: Powershell is executing... Gobbled: User is Member of group
Remove User From Group - executes fine, user is removed from group

Distribution Group Type
Add User To Group - executes fine, user enrolled into group
Is User In Group - executes fine, reports incorrect status
04/14/22 11:19:56 (917) Gobbling stdout: Powershell is executing... Gobbled: User is not in group
Remove User From Group- executes fine, user is removed from group

Thanks in advance. 

Taylor

2 REPLIES 2

Richard Hine
Tera Guru
Tera Guru

TJ,

'Is User in Group' is a single Flow Action that seems to have no concept of group type.

It invokes MID Server Script File \ADSpoke\ActionIsUserFromGroup.ps1 which also has no concept of group type.

The User is not in group and User is Member of group comes directly from the Powershell script itself.

 

I would be looking to see the step outputs from the use of 'Is User in Group' action, particularly the Status and Answer outputs and potentially any error messages.

The action itself should output an Answer of True/False and a Status of Error/Success.

I'm afraid I don't completely understand your issue based on the output above, but my guess would be that you are encountering an issue with the Post Processing Step in the action itself causing the incorrect status to be reported.

 

Happy to try and help more if you can provide more information from the FD Action itself.

Richard

Hi Richard

Thanks for the reply. I've reached out to HI too and currently working with them. 

It looks like the logic in the script is not detecting the membership when the group type is Distribution Group.

 

Below is the Post Processing, no errors etc.

find_real_file.png

I think the next steps will be to run a script locally on the MID with the service account responsible for the AD integration to see the output