Get-AzADGroupMember no longer returns service principals

[sopelt]

Description

In versions prior to 7 Get-AzADGroupMember returned all members (users, groups, service principals) of a group. Starting with 7 it moved from the legacy graph.windows.net to microsoft graph.
This seems to be caused by a limitation that is briefly mentioned in the documentation of the REST API:

Currently service principals are not listed as group members due to staged roll-out of service principals on Graph V1.0 endpoint.

This change breaks existing powershell code in a dangerous way as there are no errors/warnings but just empty/partial results that can cause wrong turns in the subsequent logic/flow.

The provided debug output only reflects the group member with "objectType": "User" but the entries with "objectType": "ServicePrincipal" are missing.

I also opened https://github.com/microsoftgraph/microsoft-graph-docs-contrib/issues/2630 to get more information and maybe trigger a short-term documentation improvement.

Kind regards,
Simon

Issue script & Debug output

Get-AzADGroupMember -GroupObjectId bf6d497d-7119-4fc0-98bc-2b0da792f3da

DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: Client side pagination is enabled for this cmdlet
DEBUG: [CmdletProcessRecordAsyncStart]: Created new QosEvent for command 'Get-AzADGroupMember_List'
DEBUG: CmdletProcessRecordAsyncStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /groups/bf6d497d-7119-4fc0-98bc-2b0da792f3da/members
DEBUG: RequestCreated: /v1.0/groups/bf6d497d-7119-4fc0-98bc-2b0da792f3da/members
DEBUG: HeaderParametersAdded:
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://graph.microsoft.com/v1.0/groups/bf6d497d-7119-4fc0-98bc-2b0da792f3da/members
Headers:
ConsistencyLevel              : eventual
x-ms-unique-id                : 9
x-ms-client-request-id        : 3769ff66-caba-4446-8550-217ef4a51e74
CommandName                   : MSGraph.internal\Get-AzADGroupMember
FullCommandName               : Get-AzADGroupMember_List
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v0.0.0,PSVersion/v5.1.19041.1320,Az.Resources/0.0.0
Body:
DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Transfer-Encoding             : chunked
Strict-Transport-Security     : max-age=31536000
request-id                    : 55326af0-0266-406c-8a70-cea7446d4104
client-request-id             : 55326af0-0266-406c-8a70-cea7446d4104
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West
Europe","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"AM2PEPF0000B276"}}
x-ms-resource-unit            : 3
OData-Version                 : 4.0
Cache-Control                 : no-cache
Date                          : Thu, 23 Dec 2021 09:47:14 GMT
Body:
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
  "value": [
    {
      "@odata.type": "#microsoft.graph.user",
      "id": "REDACTED",
      "businessPhones": [
        "REDACTED"
      ],
      "displayName": "REDACTED",
      "givenName": "REDACTED",
      "jobTitle": null,
      "mail": "REDACTED",
      "mobilePhone": "REDACTED",
      "officeLocation": null,
      "preferredLanguage": "REDACTED",
      "surname": "REDACTED",
      "userPrincipalName": "REDACTED"
    }
  ]
}
DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent: Module: Az.Resources:0.0.0; CommandName: Get-AzADGroupMember_List; PSVersion: 5.1.19041.1320;
IsSuccess: True; Duration: 00:00:00
DEBUG: Finish sending metric.
DEBUG: CmdletEndProcessing:
DisplayName Id                                   OdataType
----------- --                                   ---------
REDACTED REDACTED #microsoft.graph.user

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.19041.1320
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.1320
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     2.7.0      Az.Accounts                         {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Conn...
Script     5.1.0      Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDeny...

Error output

WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use
`Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other
information on breaking changes in Azure PowerShell.
The Azure PowerShell team is listening, please let us know how we are doing: https://aka.ms/azpssurvey?Q_CHL=ERROR.

[dingmeng-xue]

Thanks for the information. We need to update the documentation accordingly.
@VeryEarly , please look into it.

[VeryEarly]

Hi Simon@sopelt

Thanks for reporting this issue, I have created PR to improve doc from Azure-PowerShell. This will be present in official doc early next month.

[dcaro]

@VeryEarly @mikefrobbins we need to also add this in the migration guide.

[chris5287]

This has just tripped us up on existing deployment scripts, what is the ETA of the staged rollout that will mean they will returned in the results again?