AgentSkillsCN

azure-ad

Azure AD/Entra ID 操作,包括用户查询、组管理以及邀请外部来宾。适用于列出用户、搜索组、检查成员资格、邀请外部来宾,或排查 Azure AD 问题时使用。

SKILL.md
--- frontmatter
name: azure-ad
description: Azure AD/Entra ID operations including user queries, group management, and guest invitation. Use for listing users, searching groups, checking memberships, inviting external guests, or troubleshooting Azure AD.

Azure AD/Entra ID Operations

IMPORTANT: Intent Detection

Parse user input to determine intent:

User InputIntentAction
help, how to invite, usage, formatHelpRespond with usage info below
Contains email + invite intentExecuteRun invite script
Query about users/groupsQueryUse az CLI commands

Guest User Invitation (/invite)

Invite external users to Azure AD tenant with optional group membership and OSDU preshipping access.

Usage

code
/invite user@company.com
/invite user@company.com --groups "Group1,Group2"
/invite user@company.com --groups "Group1" --preshipping
/invite user@company.com --like existing@company.com

Examples

CommandWhat It Does
/invite john.doen@email.comInvite to tenant only
/invite johh.doe@email.com --groups "AzOSDUPreshipReaders"Invite and add to AD group
/invite john.doe@email.com --groups "AzOSDUPreshipReaders,ExternalUsers" --preshippingFull setup: tenant + groups + OSDU
/invite new@email.com --like existing@email.comCopy AD groups from existing user
/invite user@company.com --dry-runPreview without making changes

Options

OptionDescription
--groups "G1,G2"Add to these AD groups (comma-separated)
--preshippingAlso provision OSDU preshipping access
--like EMAILCopy AD groups from an existing user
--dry-runPreview without making changes

Workflow

  1. Run /audit <company> to see how existing users are set up
  2. Note their AD groups and whether they have preshipping access
  3. Run /invite with the same setup for new users

Common AD Groups

GroupPurpose
AzOSDUPreshipReadersOSDU preshipping read access
AzOSDUPreshipEditorsOSDU preshipping edit access
ExternalUsersStandard external user group

AI Execution (Internal)

When user requests an invite (not help), run:

bash
uv run .claude/skills/azure-ad/scripts/invite.py invite \
  --email "EMAIL" \
  [--groups "GROUP1,GROUP2"] \
  [--preshipping] \
  [--like "EXISTING_EMAIL"] \
  [--dry-run]

Output Presentation

Present the script output directly to the user. Do NOT summarize.


Azure AD Queries

Prerequisites

Verify Azure CLI authentication:

bash
az account show --query "{name:name, user:user.name, tenantId:tenantId}" -o table

User Queries

bash
# List all users
az ad user list --query "[].{name:displayName, mail:mail, type:userType}" -o table

# Find specific user
az ad user show --id "user@example.com" -o table

# Filter guest users
az ad user list --filter "userType eq 'Guest'" -o table

# Search by name prefix
az ad user list --filter "startswith(displayName,'John')" -o table

Group Queries

bash
# List all groups
az ad group list --query "[].{name:displayName, type:securityEnabled}" -o table

# Get group members
az ad group member list --group "GroupName" --query "[].{name:displayName, mail:mail}" -o table

# Get user's groups
az ad user get-member-groups --id "user@example.com" -o table

Group Management

bash
# Add user to group
USER_ID=$(az ad user show --id "user@example.com" --query "id" -o tsv)
GROUP_ID=$(az ad group show --group "GroupName" --query "id" -o tsv)
az ad group member add --group "$GROUP_ID" --member-id "$USER_ID"

Required Permissions

OperationMinimum Role
List users/groupsDirectory Readers
Add to groupGroups Administrator
Invite guestsGuest Inviter

Error Handling

ErrorCauseSolution
Authorization_RequestDeniedInsufficient permissionsRequest Directory Readers role
Request_ResourceNotFoundUser/group not foundVerify spelling, use object ID
Request_BadRequestInvalid filterCheck OData syntax

Reference Files