Quickly list all groups a user is member of or owner of in Office 365

Continuing the “how to do this with the new Azure AD PowerShell module” series, in this article we will explore some useful cmdlets that quickly list all Groups a user is member of, or is configured as Owner/Manager.

To get the latest version of the AzureAD PowerShell module, click here. To get the documentation on installing and using the module, click here.

Getting group membership

As a reminder, here’s how to quickly get a list of all groups a user is member of via the EO Remote PowerShell cmdlets:

Get-Recipient -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'"

where ‘CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations, DC=EURPR03A001, DC=prod, DC=outlook, DC=com’ is the DistinguishedName of the user, obtainable for example via:

Get-User user@domain.com | select -ExpandProperty DistinguishedName

Now, there’s also one caveat you might want to consider when using the above cmdlet. Namely, the Get-Recipient cmdlet in EO doesn’t return Office 365 Groups objects (the new, “modern” groups) unless you specifically include them. An updated version of the above cmdlet that accounts for Groups will look like this:

Get-Recipient -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" -RecipientTypeDetails GroupMailbox,MailUniversalDistributionGroup,MailUniversalSecurityGroup

and will return all Distribution groups, Mail-enabled security groups and Office 365 groups the user is member of. Dynamic distribution groups are something else you might want to consider, but those aren’t a subject for the current article. You can add other recipient types to the above example as needed.

So, after covering the Exchange side, can we also do the same with the Azure AD cmdlets? The answer is yes, thanks to the Get-AzureADUserMembership cmdlet. Here’s an example:

Get-AzureADUserMembership -ObjectId 584b1b38-888c-4b85-8a71-c9766cb4791b

As usual, one probably wants to avoid using ObjectIds, so here’s an example that takes care of that:

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership

The next problem you will run into is handling the output, which is also full of ObjectIds. We can use calculated properties to work around this:

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership | ? {$_.ObjectType -ne "Role"}  | % {Get-AzureADGroup -ObjectId $_.ObjectId | select DisplayName,ObjectType,MailEnabled,SecurityEnabled,ObjectId} | ft 

where we have also excluded the Role groups from the output. If you want to keep them, change the above cmdlet to:

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership | % {Get-AzureADObjectByObjectId -ObjectId $_.ObjectId | select DisplayName,ObjectType,MailEnabled,SecurityEnabled,ObjectId} | ft

DisplayName           ObjectType MailEnabled SecurityEnabled ObjectId
-----------           ---------- ----------- --------------- --------
Company Administrator Role                                   c25d133f-4944-481a-84d2-6e41d6a101f4
test                  Group      False       True            a1813eff-a80b-4ac9-bbdc-8e0821b76809
empty                 Group      True        False           74f09795-5028-4f89-bba3-f6f0e0d084b4
DG                    Group      True        False           c91cd116-a8a5-443b-9ae1-e1f0bade4a23
USG                   Group      True        True            9e629d33-d655-440c-89af-15738e59e667

Overall, the number of objects returned by the Get-AzureADUserMembership cmdlet should be greater compared to the Exchange cmdlets, because of the inclusion of objects such as Security groups and User Roles.

Get list of objects the user is Owner for

Similarly to group membership, we can also use PowerShell cmdlets to quickly get a list of all objects a user is configured as Owner for (or Manager in the Exchange world). Here’s how to do this with EO remote PowerShell:

Get-Recipient -Filter "ManagedBy -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" -RecipientTypeDetails GroupMailbox,MailUniversalDistributionGroup,MailUniversalSecurityGroup,DynamicDistributionGroup

To get the Owner information with the Azure AD PowerShell, one can use the Get-AzureADUserOwnedObject cmdlet. Example use of the cmdlet:

Get-AzureADUserOwnedObject -ObjectId 584b1b38-888c-4b85-8a71-c9766cb4791b

or the more useful version sans the ObjectId obscurity:

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserOwnedObject

ObjectId                             DisplayName      Description
--------                             -----------      -----------
471b526b-a084-46c0-a649-986c4e2cb89d First group      First group
b6b27af5-7b64-4bd5-9dc5-8886974dcb51 All Users

A note is due here – the Azure AD cmdlet doesn’t look at the “ManagedBy” property. If you want to include Exchange related recipients in the output, such as (dynamic) distribution groups, use the Exchange cmdlet above.

This entry was posted in Azure AD, Office 365, PowerShell. Bookmark the permalink.

3 Responses to Quickly list all groups a user is member of or owner of in Office 365

  1. Royke Marcell says:

    Thank you, this article does help me in much simpler way than others. Love it!!

  2. Chris says:

    How would you perform the same task including Dynamic groups?

    • Vasil Michev says:

      As dynamic DGs don’t have a preset membership, there is no shortcut to include them in the list of groups give user is a member of. Instead you have to cycle over each DDG and expand the membership based on the recipient filter, then compare it against the user at hand.

Leave a Reply

Your email address will not be published. Required fields are marked *