How to Report on Nested Groups in Microsoft Office 365

At some point in your Microsoft IT admin life, you may be asked to report on the groups within your environment that may include other groups as members, such as Microsoft 365 groups, distribution groups and security groups. These kinds of groups are called nested groups.

Creating nested groups is a way of organizing groups in a hierarchical manner. It gives you a more structured approach to managing permissions, access and collaboration within your organization. However, the way these groups were organized in the past may not be ideal for your organization now, so to create a report on nested groups you will need to see how these groups are organized and nested.

Trying to see the hierarchies using the Microsoft 365 portal can be difficult because different types of groups are listed on different tabs. To drill down to see the individual members in each group you must open the group separately to see the members. This can be become complicated and confusing making it tough to build a detailed report.

One common way to approach this problem is to use PowerShell but this can be risky if you do not know how to write code or if you have to search for a script online.

You could also choose to use a PowerShell alternative such as sapio365 to do the job. Let’s look at how the two approaches differ and compare.

To use PowerShell, you will have to create an elaborate script that will go through every group to retrieve their members and if some members are groups themselves, it will have to drill down to get those members as well. It will need to be a thorough and well-thought-out script if there are several levels of nesting groups. So, if you’re writing the script, your coding skills need to be good. The other alternative is to go online and try to find the right script or combination of scripts which will take you some time.

For example, the PowerShell cmdlet Get-AzureADGroupMember will retrieve the members of any group in Entra ID, while the others that follow below only apply to specific group types.

Note that Get-AzureADGroupMember will only get the direct members of the group so if there are any nested groups within it, you will only see the group name and not that group’s members. Your script will need to take this into account.

Get members of a distribution group or mail-enabled security group: Get-DistributionGroupMember

You’ll need a separate cmdlet to get the members of a dynamic distribution group.: Get-DynamicDistributionGroupMember

Get members of a Microsoft 365 group: Get-UnifiedGroup

Of course, whenever you use a PowerShell scripts, there is the risk of unexpected error, since there is no way to tell if it works until you execute the script. If there is an error, you must be prepared to spend a lot of time correcting it.

If you choose to use sapio3655, you simply need to get all the members of all the groups on one screen and this is easy due to sapio365’s ability to provide a global view of all data at one time.

The image below shows memberships for three distribution groups. Note that the first one contains the other two groups as members.

Then with the click of one button, you will be able to expand the groups and see all the members of the nested groups, regardless of how many levels there are.

A valuable bonus feature is that sapio365 will be able to show you if you have any circular nested groups so you can fix the situation. Fixing circular nested groups in sapio365 is straight-forward and easy.

Finally, with your global view, you can then remove any information that you don’t need to create a clear report, and then you export this view to Excel.

sapio365 is an easy choice for Microsoft 365 Office IT admins who don’t want to or who are unable or uncomfortable writing a PowerShell script. Finding a script can take some time and is always a bit of a risk, and if you are writing one, you need to be confident that it will not damage the environment unexpectedly. Using sapio365 to accomplish daily tasks can save you hours of time every day and there isn’t much that sapio365 can’t do. If you’re curious about he possibilities, then why not give sapio365 a try.