Quickly list all groups a user is member of or owner of in Office 365

Continuing the “how to do this with the new Azure AD PowerShell module” series, in this article we will explore some useful cmdlets that quickly list all Groups a user is member of, or is configured as Owner/Manager.

To get the latest version of the AzureAD PowerShell module, click here. To get the documentation on installing and using the module, click here.

Getting group membership

As a reminder, here’s how to quickly get a list of all groups a user is member of via the EO Remote PowerShell cmdlets:

Get-Recipient -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'"

where ‘CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations, DC=EURPR03A001, DC=prod, DC=outlook, DC=com’ is the DistinguishedName of the user, obtainable for example via:

Get-User user@domain.com | select -ExpandProperty DistinguishedName

Now, there’s also one caveat you might want to consider when using the above cmdlet. Namely, the Get-Recipient cmdlet in EO doesn’t return Office 365 Groups objects (the new, “modern” groups) unless you specifically include them. An updated version of the above cmdlet that accounts for Groups will look like this:

Get-Recipient -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" -RecipientTypeDetails GroupMailbox,MailUniversalDistributionGroup,MailUniversalSecurityGroup

and will return all Distribution groups, Mail-enabled security groups and Office 365 groups the user is member of. Dynamic distribution groups are something else you might want to consider, but those aren’t a subject for the current article. You can add other recipient types to the above example as needed.

If you want to return membership of Exchange Role Groups as well, use the Get-Group cmdlet:

Get-Group -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'"

So, after covering the Exchange side, can we also do the same with the Azure AD cmdlets? The answer is yes, thanks to the Get-AzureADUserMembership cmdlet. Here’s an example:

Get-AzureADUserMembership -ObjectId 584b1b38-888c-4b85-8a71-c9766cb4791b

As usual, one probably wants to avoid using ObjectIds, so here’s an example that takes care of that:

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership

The next problem you will run into is handling the output, which is also full of ObjectIds. We can use calculated properties to work around this:

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership | ? {$_.ObjectType -ne "Role"}  | % {Get-AzureADGroup -ObjectId $_.ObjectId | select DisplayName,ObjectType,MailEnabled,SecurityEnabled,ObjectId} | ft 

where we have also excluded the Role groups from the output. If you want to keep them, change the above cmdlet to:

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership | % {Get-AzureADObjectByObjectId -ObjectId $_.ObjectId | select DisplayName,ObjectType,MailEnabled,SecurityEnabled,ObjectId} | ft

DisplayName           ObjectType MailEnabled SecurityEnabled ObjectId
-----------           ---------- ----------- --------------- --------
Company Administrator Role                                   c25d133f-4944-481a-84d2-6e41d6a101f4
test                  Group      False       True            a1813eff-a80b-4ac9-bbdc-8e0821b76809
empty                 Group      True        False           74f09795-5028-4f89-bba3-f6f0e0d084b4
DG                    Group      True        False           c91cd116-a8a5-443b-9ae1-e1f0bade4a23
USG                   Group      True        True            9e629d33-d655-440c-89af-15738e59e667

Overall, the number of objects returned by the Get-AzureADUserMembership cmdlet should be greater compared to the Exchange cmdlets, because of the inclusion of objects such as Security groups and User Roles.

Get list of objects the user is Owner for

Similarly to group membership, we can also use PowerShell cmdlets to quickly get a list of all objects a user is configured as Owner for (or Manager in the Exchange world). Here’s how to do this with EO remote PowerShell:

Get-Recipient -Filter "ManagedBy -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" -RecipientTypeDetails GroupMailbox,MailUniversalDistributionGroup,MailUniversalSecurityGroup,DynamicDistributionGroup

To get the Owner information with the Azure AD PowerShell, one can use the Get-AzureADUserOwnedObject cmdlet. Example use of the cmdlet:

Get-AzureADUserOwnedObject -ObjectId 584b1b38-888c-4b85-8a71-c9766cb4791b

or the more useful version sans the ObjectId obscurity:

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserOwnedObject

ObjectId                             DisplayName      Description
--------                             -----------      -----------
471b526b-a084-46c0-a649-986c4e2cb89d First group      First group
b6b27af5-7b64-4bd5-9dc5-8886974dcb51 All Users

A note is due here – the Azure AD cmdlet doesn’t look at the “ManagedBy” property. If you want to include Exchange related recipients in the output, such as (dynamic) distribution groups, use the Exchange cmdlet above.

This entry was posted in Azure AD, Office 365, PowerShell. Bookmark the permalink.

22 Responses to Quickly list all groups a user is member of or owner of in Office 365

  1. Anand Venkatachalapathy says:

    Very good information, helped me when I needed it. Thanks Vasil.

  2. Nick Hall says:

    I just want to be able to export the User groups to CSV>>
    oh, but, is that a DG, or a Group created from Teams or what?= type of 365 Group are they a member of?
    Many tenants getting 365, but still need someone that can Powershell to reach all the buttons!

  3. elias says:

    hello! i need your help
    i have 270 groups in my organisation
    suddenly the manager asked me to add him as owner in all groups.
    is there an easy way to do it?? using powershell or so?
    please help

  4. Pingback: Sitecore Identity Server and Azure AD security groups limit – a system administrator

  5. shalini says:

    Thats really awesome

  6. Axel Bock says:

    Any idea how I can do the same with Azure CLI? That limitation to .NET (_not_ “Core”) is a serious impediment on Linux / OS X.

  7. Brian Watts says:

    This is simple and quick – good stuff!

  8. Bill says:

    This worked brilliantly for 3 of our O365 admins, but when I checked for a normal user, no results. I tried multiple users with no luck.

    We sync on premise AD to O365 (AzureAD) and I was hoping to find which a simple command to see which groups (cloud or synched) a user was a member of. For the admins it looked great. I also noticed that my queries for the admins only work with our very basic LANID. None of my attempts to use the full UPN (user@domain.com), e-mail address, hierarchical naming, etc. did a thing.

    Any thoughts on how I can make this work consistently?

    • Vasil Michev says:

      The Exchange method (Get-Recipient) will only work if you use the full DN of the user. The AAD one can be used with a variety of identifiers, but in general you should be using the objectID.

  9. Pingback: Generating a report of users’ group membership (MemberOf inventory) | Blog

  10. Kumaresan N says:

    Thank you, it is helpful for me. Is it possibles to export the same like all users and DL they are members of.
    Name DL
    Kumaresan IT – Tech,IT – dept
    Jacop All – Techies

  11. Pingback: Script to remove user(s) from all groups in Office 365 | Blog

  12. Aberdeen Angus says:

    Really good, impressed

  13. BB says:

    How can we do the same to get SharePoint groups cross sites/subsites ?

  14. Chris says:

    How would you perform the same task including Dynamic groups?

    • Vasil Michev says:

      As dynamic DGs don’t have a preset membership, there is no shortcut to include them in the list of groups give user is a member of. Instead you have to cycle over each DDG and expand the membership based on the recipient filter, then compare it against the user at hand.

  15. Royke Marcell says:

    Thank you, this article does help me in much simpler way than others. Love it!!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.