Reporting on membership of Office 365 Groups

Reporting on group membership is one of the common tasks in the life of AD, Exchange or Office 365 administrators. Different types of groups are used for a variety of tasks, from keeping track of users’s affiliations, to delegating permission to sensitive functionalities and applications. Thus it’s no wonder that there are a gazillion PowerShell scripts out there that tackle the problem of providing a report of the group membership in an organization.

Most of the reports you have on-premises can easily be adapted to work against Office 365 or just be used directly if you are synchronizing identities. There are some differences you have to account for, but in general it’s an easy task. Things get a bit more complicated if you are a cloud-only organization or you simply want to use the Office 365 tools. In such scenarios, you will have to write something from scratch via the MSOnline or the Azure AD PowerShell modules, or the Office 365 Graph API.

There is one more scenario in which the on-premises script wont help, namely reporting on Group membership for the “modern” Office 365 Groups. Those objects exist only in the cloud and have no on-premises representation (OK, technically they can be represented via a DG on-premises when using the Group writeback feature, but still). As Office 365 Groups are currently positioned as a membership service that powers many other Office 365 features, including Microsoft Teams, one cannot simply ignore them.

To report on Office 365 Groups, you have several options. You can use the Graph API, but that will probably not be the first choice of any non-programmer. Using the Azure AD PowerShell module (which is basically a wrapper for Graph) is much easier, and you can get most of the needed information via the Get-AzureADGroup and Get-AzureADGroupMember cmdlets. With few caveats, the most important one being that you cannot filter for just Office 365 groups, so you might want to consider using the Get-AzureADGroupMember cmdlets instead.

The following example lists all Office 365 Groups in the tenant and the membership for a specific group:

Get-AzureADMSGroup -Filter "groupTypes/any(c:c eq 'Unified')" -All:$true

Get-AzureADGroupMember -ObjectId 8d405d20-65d9-4650-abca-352770e4438b

Another caveat is the fact that Office 365 Groups feature different types of members, or Links. An Office 365 group will have an Owner or two, few Members, some of those might be Subscribers as well. While the Azure AD cmdlets can help you with reporting on Owners and Members, the Subscriber type of link is something that only Exchange “understands”, thus if you want to report on it you have to use Exchange Online PowerShell and the Get-UnifiedGroupLinks cmdlet. Two additional link types exist, Aggregators and EventSubscribers, however at present those are not yet in use, so you can just ignore them.

To get a list of all Office 365 Groups via the Exchange cmdlets, use the following:

Get-UnifiedGroup -ResultSize Unlimited

To report on the Members of a specific Office 365 Group or Team, use:

Get-UnifiedGroupLinks group@domain.com -LinkType Members -ResultSize Unlimited

For any other link types, repeat the same process.

I’ve put together a sample script that illustrates how you can generate a report of the Office 365 Group membership in your organization that includes all the Link types. In addition, information for any Guests that are added to the group will be returned. This script is definitely long overdue, but after some gentle reminders I finally got around to publish it. Get it from the TechNet Gallery here: https://gallery.technet.microsoft.com/Office-365-Group-links-2957554a

This entry was posted in Exchange Online, Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *