Quickly list all groups a user is member of or owner of in Office 365

Continuing the “how to do this with the new Azure AD PowerShell module” series, in this article we will explore some useful cmdlets that quickly list all Groups a user is member of, or is configured as Owner/Manager.

To get the latest version of the AzureAD PowerShell module, click here. To get the documentation on installing and using the module, click here.

Getting group membership

As a reminder, here’s how to quickly get a list of all groups a user is member of via the EO Remote PowerShell cmdlets:

Get-Recipient -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'"

where ‘CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations, DC=EURPR03A001, DC=prod, DC=outlook, DC=com’ is the DistinguishedName of the user, obtainable for example via:

Get-User user@domain.com | select -ExpandProperty DistinguishedName

Now, there’s also one caveat you might want to consider when using the above cmdlet. Namely, the Get-Recipient cmdlet in EO doesn’t return Office 365 Groups objects (the new, “modern” groups) unless you specifically include them. An updated version of the above cmdlet that accounts for Groups will look like this:

Get-Recipient -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" -RecipientTypeDetails GroupMailbox,MailUniversalDistributionGroup,MailUniversalSecurityGroup

and will return all Distribution groups, Mail-enabled security groups and Office 365 groups the user is member of. Dynamic distribution groups are something else you might want to consider, but those aren’t a subject for the current article. You can add other recipient types to the above example as needed.

If you want to return membership of Exchange Role Groups as well, use the Get-Group cmdlet:

Get-Group -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'"

So, after covering the Exchange side, can we also do the same with the Azure AD cmdlets? The answer is yes, thanks to the Get-AzureADUserMembership cmdlet. Here’s an example:

Get-AzureADUserMembership -ObjectId 584b1b38-888c-4b85-8a71-c9766cb4791b

As usual, one probably wants to avoid using ObjectIds, so here’s an example that takes care of that:

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership

The next problem you will run into is handling the output, which is also full of ObjectIds. We can use calculated properties to work around this:

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership | ? {$_.ObjectType -ne "Role"}  | % {Get-AzureADGroup -ObjectId $_.ObjectId | select DisplayName,ObjectType,MailEnabled,SecurityEnabled,ObjectId} | ft 

where we have also excluded the Role groups from the output. If you want to keep them, change the above cmdlet to:

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership | % {Get-AzureADObjectByObjectId -ObjectId $_.ObjectId | select DisplayName,ObjectType,MailEnabled,SecurityEnabled,ObjectId} | ft

DisplayName           ObjectType MailEnabled SecurityEnabled ObjectId
-----------           ---------- ----------- --------------- --------
Company Administrator Role                                   c25d133f-4944-481a-84d2-6e41d6a101f4
test                  Group      False       True            a1813eff-a80b-4ac9-bbdc-8e0821b76809
empty                 Group      True        False           74f09795-5028-4f89-bba3-f6f0e0d084b4
DG                    Group      True        False           c91cd116-a8a5-443b-9ae1-e1f0bade4a23
USG                   Group      True        True            9e629d33-d655-440c-89af-15738e59e667

Overall, the number of objects returned by the Get-AzureADUserMembership cmdlet should be greater compared to the Exchange cmdlets, because of the inclusion of objects such as Security groups and User Roles.

Get list of objects the user is Owner for

Similarly to group membership, we can also use PowerShell cmdlets to quickly get a list of all objects a user is configured as Owner for (or Manager in the Exchange world). Here’s how to do this with EO remote PowerShell:

Get-Recipient -Filter "ManagedBy -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" -RecipientTypeDetails GroupMailbox,MailUniversalDistributionGroup,MailUniversalSecurityGroup,DynamicDistributionGroup

To get the Owner information with the Azure AD PowerShell, one can use the Get-AzureADUserOwnedObject cmdlet. Example use of the cmdlet:

Get-AzureADUserOwnedObject -ObjectId 584b1b38-888c-4b85-8a71-c9766cb4791b

or the more useful version sans the ObjectId obscurity:

Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserOwnedObject

ObjectId                             DisplayName      Description
--------                             -----------      -----------
471b526b-a084-46c0-a649-986c4e2cb89d First group      First group
b6b27af5-7b64-4bd5-9dc5-8886974dcb51 All Users

A note is due here – the Azure AD cmdlet doesn’t look at the “ManagedBy” property. If you want to include Exchange related recipients in the output, such as (dynamic) distribution groups, use the Exchange cmdlet above.

An updated version of the article can be found here, with examples utilizing the Microsoft Graph SDK for PowerShell.

34 thoughts on “Quickly list all groups a user is member of or owner of in Office 365

  1. Lawrence Fan says:

    I need some help with the Filter. The “Members -eq ‘DN'” works fine when the DN does not contain single quote. When it does, the Get throws an exception. Can someone please show me, if possible, how to escape the single quote in the filter?

    P.S. Let ‘s not discuss the merit of NOT having special characters in a name. 🙂

    Thanks.

    Reply
  2. Egor Emeliyanov says:

    As of January of 2022 the sad reality is that you still need to perform two calls — one to Graph and one to EO to get all group members/owners:

    1) Graph won’t show you distro groups
    2) EO won’t show you security groups (not mail-enabled)

    Luckily, now with REST-compatible interface for EO we can talk directly to https://outlook.office365.com/adminapi/beta/$tenantId/InvokeCommand without the extra luggage of PSremoting (that is — we finally can use a platform/language of our choice), but we still need two queries.

    Reply
    1. Egor Emeliyanov says:

      ^^^^ Correction, the comment above applies only to group OWNERS, not members. All MEMBERSHIPS of a given account can be obtained with one request — https://graph.microsoft.com/beta/users/{userID}/memberOf/ (determining the group type in this case would require some heuristics with mailEnabled, securityEnabled and groupTypes attributes). Apologize for multiple messages.

      Reply
      1. Vasil Michev says:

        You still don’t get the full picture unfortunately, for example the ManagedBy property for DGs will not be returned by Graph. And the list of owners is separate from the ManagedBy list :/

        Reply
  3. Nupur says:

    Hi Vasil,

    Your article helped me a lot but, how to get the Distribution group as type because the AAD one is only giving Microsoft 365 groups in output. Could you please help for the other Distribution group type with AAD command it will be very helpful.

    Thanks!

    Reply
    1. Vasil Michev says:

      Use the Exchange cmdlets (Get-Recipient), not the AAD ones.

      Reply
  4. Amit Satre says:

    I have 100+ DL list and need to check particular person ownership/approver details of them. is this possible?
    we have set a particular person as approver for multiple DL list. need report all of them DL’s.

    Reply
  5. Anand Venkatachalapathy says:

    Very good information, helped me when I needed it. Thanks Vasil.

    Reply
  6. Nick Hall says:

    I just want to be able to export the User groups to CSV>>
    oh, but, is that a DG, or a Group created from Teams or what?= type of 365 Group are they a member of?
    Many tenants getting 365, but still need someone that can Powershell to reach all the buttons!

    Reply
  7. elias says:

    hello! i need your help
    i have 270 groups in my organisation
    suddenly the manager asked me to add him as owner in all groups.
    is there an easy way to do it?? using powershell or so?
    please help

    Reply
    1. bilal says:

      yes, there is..

      use Add-teamuser command, and write it on excel

      Paste it to PS and run it.

      Reply
  8. Axel Bock says:

    Any idea how I can do the same with Azure CLI? That limitation to .NET (_not_ “Core”) is a serious impediment on Linux / OS X.

    Reply
    1. Peter Goedtkindt says:

      I use a win10 jumphost (a virtual machine), install powershell 7.2 on it, set up ssh access to it (protect access by some AD group and firewall if needed), and then allow PS-remoting to it using
      Enter-PSSession -hostname

      Any commands that follows will be able to use the full windows powershell capabilities.

      In short, steps to do are:

      Install OpenSSH Server and Client:
      OpenSSH for Windows is available directly in Windows 10 (1809 or higher) and Windows Server 2019 as an optional feature.

      Install PowerShell 7 on all systems

      Configure the SSH subsystem to host a PowerShell process on the remote machine

      Configure password or key-based authentication

      more infor here : https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ssh-remoting-in-powershell-core?view=powershell-7.2

      Reply
  9. Bill says:

    This worked brilliantly for 3 of our O365 admins, but when I checked for a normal user, no results. I tried multiple users with no luck.

    We sync on premise AD to O365 (AzureAD) and I was hoping to find which a simple command to see which groups (cloud or synched) a user was a member of. For the admins it looked great. I also noticed that my queries for the admins only work with our very basic LANID. None of my attempts to use the full UPN (user@domain.com), e-mail address, hierarchical naming, etc. did a thing.

    Any thoughts on how I can make this work consistently?

    Reply
    1. Vasil Michev says:

      The Exchange method (Get-Recipient) will only work if you use the full DN of the user. The AAD one can be used with a variety of identifiers, but in general you should be using the objectID.

      Reply
  10. Kumaresan N says:

    Thank you, it is helpful for me. Is it possibles to export the same like all users and DL they are members of.
    Ex.
    Name DL
    Kumaresan IT – Tech,IT – dept
    Jacop All – Techies

    Reply
    1. Vasil Michev says:

      Sure, simply put a foreach loop and go over every user.

      Reply
  11. BB says:

    How can we do the same to get SharePoint groups cross sites/subsites ?

    Reply
      1. Vasil Michev says:

        Teams uses Office 365 Groups as membership, the above examples work just fine.

        Reply
  12. Chris says:

    How would you perform the same task including Dynamic groups?

    Reply
    1. Vasil Michev says:

      As dynamic DGs don’t have a preset membership, there is no shortcut to include them in the list of groups give user is a member of. Instead you have to cycle over each DDG and expand the membership based on the recipient filter, then compare it against the user at hand.

      Reply
  13. Royke Marcell says:

    Thank you, this article does help me in much simpler way than others. Love it!!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.