Azure AD

How to Find Empty Groups in Microsoft Entra ID

Empty groups in Microsoft 365 may seem harmless at first glance. However, they may still have access to sensitive data, creating risks if repopulated accidentally. That's why it's crucial to audit empty groups in Microsoft Entra ID. In this guide, we'll walk you through the steps to easily find empty groups in Microsoft Entra ID, helping you to prevent unauthorized data exposure and keep your Microsoft 365 environment secure.

Using Windows PowerShell

Microsoft 365 Permission Required

Groups Admin Least Privilege

Global Admin Most Privilege

Connect to the Microsoft Graph PowerShell module using the cmdlet below.
Windows PowerShell
```
 Connect-MgGraph -Scopes Group.Read.All
```
Execute the cmdlet below to get all empty groups in Microsoft 365.

Windows PowerShell

 Get-MgGroup -All | Where-Object { (Get-MgGroupMemberCount -GroupId $_.Id -ConsistencyLevel eventual) -eq 0 }

Using PowerShell Script

Microsoft 365 Permission Required

Groups Admin Least Privilege

Global Admin Most Privilege

The above PowerShell cmdlet helps you locate empty groups in Microsoft 365, but it doesn't include other important details such as group email address or group type.
To overcome this limitation, we've developed a PowerShell script that generates 12 different comprehensive group reports. To list all empty groups in Microsoft Entra ID, run the script with the 'IsEmpty' parameter.
./M365GroupReport.ps1 -IsEmpty

M365GroupReport.zip

Note: You can also use this script to view membership details, group size insights, and list group types such as security, distribution, and mail-enabled groups separately.

Using AdminDroid
Simple & Quick

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Log in to the AdminDroid Office 365 reporter.
Navigate to the Empty Groups report under Reports»Azure AD»Group Reports.

AdminDroid Azure AD Reporter

Audit empty groups in Microsoft Entra ID to keep your M365 environment organized

AdminDroid's Microsoft 365 group auditing tool offers detailed insights into various group-related activities like Microsoft 365 group creations, modifications, deletions, group setting changes, and more. With these comprehensive insights, you can effortlessly monitor Microsoft 365 empty groups to reduce unnecessary clutter and maintain efficient resource management.

Track Empty Group Creations in Microsoft 365

Monitor Microsoft 365 group creations to investigate and delete unwanted empty groups created, ensuring that only relevant groups remain in your organization.

Find Inactive Empty Groups in Microsoft Entra ID

Track last active time of Microsoft 365 groups to find inactive empty groups and delete them if they are no longer required.

Get Instant Alerts on Empty Group Deletion with AdminDroid

Receive real-time notifications with AdminDroid's alerting whenever an empty group is deleted. This helps to take timely investigation to avoid unwanted deletions.

Proactively Monitor Microsoft 365 Group Membership Changes

Keep track of Microsoft 365 group membership changes to find any unauthorized bulk deletion of group members happened and the group was emptied.

Monitor Deleted Empty Groups Report in Microsoft Entra ID

Regularly review deleted groups in Microsoft 365 to identify unauthorized bulk deletions that may have emptied the group.

Group Dashboard for Visualizing Empty Groups

With AdminDroid's Microsoft 365 group dashboard, visualize empty groups and maintain a well-organized directory.

In conclusion, AdminDroid's Azure AD management tool offers an effective solution for identifying and managing empty groups. With its comprehensive reports, you can effortlessly maintain a clean directory, streamline group management, and enhance overall organizational efficiency.

Explore a full range of reporting options

Download Live Demo

Important Tips

Regularly monitor empty security groups in Microsoft 365 to prevent potential data exposure as these groups can still grant access to resources if accidentally populated.

Enable self-service group management in Microsoft Entra ID to prevent accidental empty group creations by letting users manage their own memberships.

Monitor empty groups with group-based licensing in Microsoft 365 to optimize license usage and avoid unnecessary costs.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints while managing Microsoft Entra ID empty groups.

Error Get-MgGroup : Insufficient privileges to complete the operation. Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied.

This error occurs when the 'Connect-MgGraph' cmdlet is executed without specifying the required scopes.

Fix Define the necessary scopes when connecting to the Microsoft Graph PowerShell module.

Connect-MgGraph –Scopes Group.Read.All

Error Failed to create group. Dynamic membership rule validation error: Invalid operator.

This error occurs when you try to create a dynamic membership group in Microsoft 365 with an invalid operator.

Fix To resolve this error, review the dynamic membership rule and replace any invalid operators with the correct ones.

Error Insufficient privileges to delete some or all of the selected groups.

This error occurs in the Microsoft Entra admin center when attempting to delete an empty group without the required admin permissions.

Fix Ensure you have sufficient permissions. Read-only roles cannot delete groups. You must have Global Admin or Group Admin rights to delete an empty group.

Error File D:\M365GroupReport.ps1 cannot be loaded because running scripts is disabled on this system.

This error occurs when you try to run the PowerShell script and the system's execution policy restricts running unsigned scripts.

Fix To resolve this error, execute the below cmdlet to set the execution policy as Unrestricted before running the script.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Azure AD

Frequently Asked Questions

Ensure Organizational Efficiency by Managing Empty Groups in Microsoft Entra ID!

Why is it important to identify and manage empty groups in Microsoft Entra ID?

How to find who created an empty group in Microsoft 365?

How to automate the deletion of inactive empty M365 groups with expiration policy?

How to prevent accidental empty group creation using dynamic membership rules in M365?

1. Why is it important to identify and manage empty groups in Microsoft Entra ID?

Empty groups in Microsoft Entra ID can cause clutter and confusion in your directory, leading to a less organized and inefficient environment. Here are several reasons why identifying and managing empty groups is crucial.

Directory Clutter: Empty groups can cause clutter, making it harder for admins to locate active groups. Admins should identify and either remove or repurpose these empty groups to streamline group management and maintain an organized directory.
Security Risks: While empty groups may seem harmless, they can still retain permissions or access to sensitive data. If these empty groups are later populated by mistake, they could unintentionally grant access to sensitive resources.
Resource Wastage: Empty groups created with group-based licensing can lead to wasted resources. When these groups are unknowingly populated, they may consume licenses unnecessarily. Therefore, it’s essential to identify and manage empty groups in Microsoft Entra ID.

Managing empty groups proactively enhances security and compliance, ultimately helping admins maintain a cleaner, more efficient Microsoft Entra ID environment.

Automate Microsoft 365 empty group reviews with AdminDroid like a Pro!

Utilize AdminDroid's scheduling feature to get empty group reports in your mail on time, reducing manual efforts.
This automation not only saves time but also strengthens your group management. It highlights potential security risks, enabling you to act swiftly and prevent unintended access to sensitive resources.

Pro tip: Enable 'Don't attach empty reports' option under 'Customize Email Message' to receive reports only when data is available in the empty group report.

2. How to find who created an empty group in Microsoft 365?

Admins should identify who created an empty group in Microsoft Entra ID to confirm the group's purpose and determine whether it is still needed or can be safely removed. This helps to reduce unnecessary empty groups and enhances overall organizational efficiency.

Steps to see who created an empty Microsoft 365 group

Log in to the Microsoft 365 admin center.
Go to Active Teams & groups under the 'Teams & groups' section.
Choose the group type from the top menu, then locate and select the empty group you want to examine.
Under the General tab in the 'Other info' section, you can see the group's creation date and time, who created it, and the portal through which it was created.

Note: Only the creation date and time are displayed, without showing the exact username of the person who created the empty group. It will be simply displayed as '<Group name>Owners'.

With AdminDroid, effortlessly identify the creator of an empty group in Microsoft 365.

With AdminDroid's Created Groups report, you can audit all newly created groups in Microsoft Entra ID.
This report helps to identify who created the group with the group name, created time, and more insights.

3. How to automate the deletion of inactive empty M365 groups with expiration policy?

Expiration policy in Microsoft 365 allows admins to set specific timeframes for group activity, automatically removing inactive and empty groups when they are no longer in use. This process helps in keeping the directory clean by eliminating unused groups that accumulate over time.

Steps to configure expiration policy for Microsoft 365 groups

Navigate to All groups under Identity»Groups in Microsoft Entra admin center.
Select Expiration under 'Settings' section and specify the Group lifetime (in days) as 180 or 365 days. You can also select 'Custom' and specify a custom lifetime in days.
Then specify the "Email contact for groups with no owners" to receive expiration notifications.
Now, decide if the policy applies to All groups, Selected groups, or None. If you specified Selected groups, click on the 'Add' option and select the groups for policy application.
Then click Save on the top banner to apply the expiration policy.

Note: Group renewal notification will be emailed to group owners 30 days, 15 days, and 1 day prior to the group expiration. If an empty group remains inactive throughout the specified group lifetime, it will be automatically deleted at the end of the period.

4. How to prevent accidental empty group creation using dynamic membership rules in M365?

Maintaining a clean and efficient directory in Microsoft 365 requires not only removing empty groups but also preventing their accidental creation in the first place. Dynamic membership rules provide a proactive approach to ensure that groups remain populated, automatically assigning users based on specified criteria. These rules help admins to eliminate the risk of creating groups that are left empty.

Create a rule for a dynamic membership group in Microsoft 365

Navigate to All groups under Identity»Groups in the Microsoft Entra admin center.
Click on the New group option. Select the group type (Security group or M365 group).
Specify the group a name, description, and email address. Then, click on the Membership type drop-down.
Now, assign owners to the group. Then click on the Add dynamic query option.
Then in the rule builder, you can specify the rule. The rule builder supports up to five expressions. To add more than five expressions, you must use the Rule syntax text box.

After creating the rule, click on the Save option. Then in the 'New group' page, click Create to create a dynamic membership group in Microsoft Entra ID.

By implementing dynamic membership rules, admins can ensure that groups remain populated, effectively minimizing the clutter and inefficiency caused by empty groups.