AgentSkillsCN

querying-azure-ad

使用 Azure CLI 查询 Azure AD/Entra ID 的用户与组。适用于列出用户、搜索组、检查成员关系,或排查 Azure AD 操作中的疑难问题时使用。

SKILL.md
--- frontmatter
name: querying-azure-ad
description: Queries Azure AD/Entra ID users and groups using Azure CLI. Use when listing users, searching groups, checking memberships, or troubleshooting Azure AD operations.

Azure AD/Entra ID Operations

Reference documentation for querying Azure AD users and groups via Azure CLI.

Prerequisites

Verify Azure CLI authentication before any operation:

bash
az account show --query "{name:name, user:user.name, tenantId:tenantId}" -o table

Quick Reference

User Queries

bash
# List all users (table format)
az ad user list --query "[].{name:displayName, mail:mail, type:userType}" -o table

# Find specific user
az ad user show --id "user@example.com" -o table

# Filter guest users
az ad user list --filter "userType eq 'Guest'" -o table

# Search by name prefix
az ad user list --filter "startswith(displayName,'John')" -o table

# Count users
az ad user list --query "length(@)"

Group Queries

bash
# List all groups
az ad group list --query "[].{name:displayName, type:securityEnabled}" -o table

# Get group members
az ad group member list --group "GroupName" --query "[].{name:displayName, mail:mail}" -o table

# Get user's groups
az ad user get-member-groups --id "user@example.com" -o table

# Check membership
az ad group member check --group "GROUP_ID" --member-id "USER_ID"

Group Management

bash
# Add user to group (requires object IDs)
USER_ID=$(az ad user show --id "user@example.com" --query "id" -o tsv)
GROUP_ID=$(az ad group show --group "GroupName" --query "id" -o tsv)
az ad group member add --group "$GROUP_ID" --member-id "$USER_ID"

OData Filter Syntax

FilterExample
Equals"mail eq 'user@example.com'"
Starts with"startswith(displayName,'J')"
User type"userType eq 'Guest'"
Enabled"accountEnabled eq true"
Security groups"securityEnabled eq true"

Important: OData functions are case-sensitive. Use startswith, not StartsWith.

Output Formats

FormatFlagUse Case
Table-o tableHuman readable
JSON-o jsonFull details
TSV-o tsvSingle values for variables

JMESPath Queries

bash
# Select specific fields
--query "[].{name:displayName, email:mail}"

# Filter in query
--query "[?userType=='Guest']"

# Count results
--query "length(@)"

Required Permissions

OperationMinimum Role
List users/groupsDirectory Readers
Add to groupGroups Administrator
Invite guestsGuest Inviter

Error Handling

ErrorCauseSolution
Authorization_RequestDeniedInsufficient permissionsRequest Directory Readers role
Request_ResourceNotFoundUser/group not foundVerify spelling, use object ID
Request_BadRequestInvalid filterCheck OData syntax, use lowercase functions

Guest User Invitation

Invite external users to your tenant using the /ag1:invite command.

Usage

bash
# Invite a guest user
/ag1:invite user@external.com

# Or use the script directly with options
uv run ${CLAUDE_PLUGIN_ROOT}/skills/azure-ad/scripts/invite_guest.py invite --email user@external.com

# With custom options
uv run ${CLAUDE_PLUGIN_ROOT}/skills/azure-ad/scripts/invite_guest.py invite \
  --email user@external.com \
  --redirect-url "https://myapp.com" \
  --message "Welcome to our organization!"

# Check authentication status
uv run ${CLAUDE_PLUGIN_ROOT}/skills/azure-ad/scripts/invite_guest.py check

Required Permissions

OperationPermissionRole
Invite guestsUser.Invite.AllGuest Inviter

Script Options

OptionDescriptionDefault
--emailEmail address to invite (required)-
--redirect-urlURL after accepting invitationhttps://myapps.microsoft.com
--send-email/--no-send-emailSend invitation emailYes
--messageCustom message in invitationNone
--jsonOutput as JSONNo

Reference Files

For detailed documentation: