How to get Microsoft Office 365 synced users’ group memberships with and without PowerShell
If your organization has strict policies regarding conflicts of interest or about which employees have access to what information, then you may need to report on direct and indirect group memberships. You can create a group membership report and then remove users from specific groups, as required. This will ensure that employees’ group memberships do not allow access to restricted documents or information.
Creating a report on a user’s access through group membership sounds simple enough but it gets complicated quickly if the number of memberships is very high and if there are indirect memberships due to group nesting.
This article looks at the many ways to gather this information and an easy alternative to the native tools in Microsoft 365.
How to get a user’s group memberships in the Microsoft 365 admin centers
Looking up a user’s groups in the general admin center is straightforward. However, you’ll note very quickly that there is important basic information missing. For example, you won’t know which groups are security groups, Microsoft 365 groups, Teams, or distribution groups.
And while you can add or remove group memberships from this view, you won’t be able to select and copy the list for a simple report!
Moving on to the Entra Admin Center, you have more information you can add as shown in the image below. This includes the group type (though you won’t be able to discern which are Teams!), or if a group is synced from on-premises (for hybrid tenants), or if it has dynamic membership adherence. The good news is that you can select and copy all this info. The bad news is you’ll need to ‘load more’ on account of pagination of large lists.
Note that while the Entra Admin Center may let you create a quick membership report through a simple copy/paste, indirect memberships are omitted from the list. These stem from nested groups, typically seen with legacy security groups and distribution groups.
To have a complete group accessibility report, you’ll need to query for these indirect memberships with a PowerShell script.
How to list a user’s group memberships with Microsoft Graph PowerShell
In the past, you were able to rely on using the cmdlet Get-AzureADUserMembership with the Azure Active Directory PowerShell module to get a list of a user’s group memberships. These days, Microsoft is deprecating this module and encouraging PowerShell-yielding admins to use the Microsoft Graph PowerShell module.
For example, to list a user’s direct group memberships, you can connect to the Microsoft Graph module with the required permission scopes:
Connect-MgGraph -Scopes user.read.all, directory.read.all
Then query a user’s group memberships with the Get-MgUserMemberOfAsGroup cmdlet. For example:
Get-MgUserMemberOfAsGroup -UserId AdeleV@sygx2.onmicrosoft.com
You’ll need a script to do this for each user. Also note that you’ll need another cmdlet to get the list of transitive memberships (the groups the user belongs to indirectly).
If you opt to skip using PowerShell and you don’t have time to get acquainted with the Microsoft Graph APIs, check out the easy alternative, sapio365, in the next section.
The easy alternative to seeing which groups a user belongs to
Looking up group memberships from a list of users is child’s play with sapio365 whether there’s ten users or thousands! You can even use an Excel file to select or filter for everyone on your list without missing anyone. If there’s a mismatch due to bad data in the file, sapio365 will save a list for you so that you can process those accounts later.
Another example is if you’re looking for a membership report on users who meet specific criteria (ex. users in the sales department) because the list changes all the time. sapio365 can isolate these users automatically based on the custom view you create.
Create and save a dynamic custom view
Starting with the full list of users, whether you select them manually or by applying a filter (the department field is used here), you can isolate your users with a few clicks.
Save this view if you want to look up these users again at later time.
Get everyone’s group memberships with a single click
Once you’ve isolated your users, you’re just a click away from getting their group memberships. For each user, you’ll see important information on the groups they belong to:
- What type of group it is
- If the membership is direct or not
- If the group is synced from on-premises Active Directory (hybrid tenant)
You can also enrich this view with more group and user properties that can help in making decisions. For example, you can include users’ job title, their last sign-in date and their current sign-in status. And for groups, you can show if they are used for license assignments, whether they are dynamic and their creation date (see image below).
Visually preview target memberships before removing them
Now that you’ve retrieved everyone’s group memberships, you just need to select the groups you’d like to remove the users from, again, with just one click.
If you’re not sure when you apply your changes, don’t worry! You’ll get to preview the changes—and undo them—before committing them.
Conclusion
When compared with the admin portal or using PowerShell scripts, reporting on users’ group memberships is easy to do with sapio365. This admin tool gives you a full view of all your users in one place. With this view, you can drill down into the details you need, sort and organize the information using the filters it offers. And for added security, you can preview your changes before you apply them. Once you have the data organized the way you want it, you can save your customized views for the next time you need to run the same reports or schedule the report to run however often you want.
sapio365 has a lot of capabilities that can transform the way you manage Microsoft 365 so why not discover them all with a free trial.
Submit a comment