Monitor Empty Groups in Microsoft 365

Native Solution

Microsoft 365 Permission Required

High

Least Privilege

Groups Admin

Most Privilege

Global Admin

Option 1 Using Windows PowerShell

Connect to the Microsoft Graph PowerShell module using the cmdlet below.
Windows PowerShell
```
 Connect-MgGraph -Scopes Group.Read.All
```
Execute the cmdlet below to get all empty groups in Microsoft 365.

Windows PowerShell

 Get-MgGroup -All | Where-Object { (Get-MgGroupMemberCount -GroupId $_.Id -ConsistencyLevel eventual) -eq 0 }

Option 2 Using PowerShell Script

The above PowerShell cmdlet helps you locate empty groups in Microsoft 365, but it doesn't include other important details such as group email address or group type.
To overcome this limitation, we've developed a PowerShell script that generates 12 different comprehensive group reports. To list all empty groups in Microsoft Entra ID, run the script with the 'IsEmpty' parameter.
./M365GroupReport.ps1 -IsEmpty

M365GroupReport.zip

Note: You can also use this script to view membership details, group size insights, and list group types such as security, distribution, and mail-enabled groups separately.

AdminDroid Solution

This report and 150+ more reports are under free editionFREE

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

Log in to the AdminDroid Office 365 reporter.
Navigate to the Empty Groups report under Reports»Azure AD»Group Reports.

Get all Microsoft 365 empty groups with detailed information, including group name, group mail ID, group type, mail-enabled status, proxy address, and more.

Utilize AdminDroid's built-in charts to view the count of empty groups by their type. This makes it easy for admins to analyze and manage group resources effectively.

Explore a full range of reporting options

Struggling to Keep Track of Empty Groups in Microsoft Entra ID?

AdminDroid's Microsoft 365 group reports help you prevent clutter and keep your directory organized by spotting empty groups in Microsoft Entra ID.

Witness the report in action using the

Live Demo

Important Tips

Regularly monitor empty security groups in Microsoft 365 to prevent potential data exposure as these groups can still grant access to resources if accidentally populated.

Enable self-service group management in Microsoft Entra ID to prevent accidental empty group creations by letting users manage their own memberships.

Monitor empty groups with group-based licensing in Microsoft 365 to optimize license usage and avoid unnecessary costs.

Azure ADEnsure Organizational Efficiency by Managing Empty Groups in Microsoft Entra ID!

Showing 1 of 4

Why is it important to identify and manage empty groups in Microsoft Entra ID? How to find who created an empty group in Microsoft 365? How to automate the deletion of inactive empty M365 groups with expiration policy? How to prevent accidental empty group creation using dynamic membership rules in M365?

Why is it important to identify and manage empty groups in Microsoft Entra ID?

Empty groups in Microsoft Entra ID can cause clutter and confusion in your directory, leading to a less organized and inefficient environment. Here are several reasons why identifying and managing empty groups is crucial.

Directory Clutter: Empty groups can cause clutter, making it harder for admins to locate active groups. Admins should identify and either remove or repurpose these empty groups to streamline group management and maintain an organized directory.
Security Risks: While empty groups may seem harmless, they can still retain permissions or access to sensitive data. If these empty groups are later populated by mistake, they could unintentionally grant access to sensitive resources.
Resource Wastage: Empty groups created with group-based licensing can lead to wasted resources. When these groups are unknowingly populated, they may consume licenses unnecessarily. Therefore, it’s essential to identify and manage empty groups in Microsoft Entra ID.

Managing empty groups proactively enhances security and compliance, ultimately helping admins maintain a cleaner, more efficient Microsoft Entra ID environment.

Automate Microsoft 365 empty group reviews with AdminDroid like a Pro!

Utilize AdminDroid's scheduling feature to get empty group reports in your mail on time, reducing manual efforts.
This automation not only saves time but also strengthens your group management. It highlights potential security risks, enabling you to act swiftly and prevent unintended access to sensitive resources.

Pro tip: Enable 'Don't attach empty reports' option under 'Customize Email Message' to receive reports only when data is available in the empty group report.

How to find who created an empty group in Microsoft 365?

Admins should identify who created an empty group in Microsoft Entra ID to confirm the group's purpose and determine whether it is still needed or can be safely removed. This helps to reduce unnecessary empty groups and enhances overall organizational efficiency.

Steps to see who created an empty Microsoft 365 group

Log in to the Microsoft 365 admin center.
Go to Active Teams & groups under the 'Teams & groups' section.
Choose the group type from the top menu, then locate and select the empty group you want to examine.
Under the General tab in the 'Other info' section, you can see the group's creation date and time, who created it, and the portal through which it was created.

Note: Only the creation date and time are displayed, without showing the exact username of the person who created the empty group. It will be simply displayed as '<Group name>Owners'.

With AdminDroid, effortlessly identify the creator of an empty group in Microsoft 365.

With AdminDroid's Created Groups report, you can audit all newly created groups in Microsoft Entra ID.
This report helps to identify who created the group with the group name, created time, and more insights.

How to automate the deletion of inactive empty M365 groups with expiration policy?

Expiration policy in Microsoft 365 allows admins to set specific timeframes for group activity, automatically removing inactive and empty groups when they are no longer in use. This process helps in keeping the directory clean by eliminating unused groups that accumulate over time.

Steps to configure expiration policy for Microsoft 365 groups

Navigate to All groups under Identity»Groups in Microsoft Entra admin center.
Select Expiration under 'Settings' section and specify the Group lifetime (in days) as 180 or 365 days. You can also select 'Custom' and specify a custom lifetime in days.
Then specify the "Email contact for groups with no owners" to receive expiration notifications.
Now, decide if the policy applies to All groups, Selected groups, or None. If you specified Selected groups, click on the 'Add' option and select the groups for policy application.
Then click Save on the top banner to apply the expiration policy.

Note: Group renewal notification will be emailed to group owners 30 days, 15 days, and 1 day prior to the group expiration. If an empty group remains inactive throughout the specified group lifetime, it will be automatically deleted at the end of the period.

How to prevent accidental empty group creation using dynamic membership rules in M365?

Maintaining a clean and efficient directory in Microsoft 365 requires not only removing empty groups but also preventing their accidental creation in the first place. Dynamic membership rules provide a proactive approach to ensure that groups remain populated, automatically assigning users based on specified criteria. These rules help admins to eliminate the risk of creating groups that are left empty.

Create a rule for a dynamic membership group in Microsoft 365

Navigate to All groups under Identity»Groups in the Microsoft Entra admin center.
Click on the New group option. Select the group type (Security group or M365 group).
Specify the group a name, description, and email address. Then, click on the Membership type drop-down.
Now, assign owners to the group. Then click on the Add dynamic query option.
Then in the rule builder, you can specify the rule. The rule builder supports up to five expressions. To add more than five expressions, you must use the Rule syntax text box.

After creating the rule, click on the Save option. Then in the 'New group' page, click Create to create a dynamic membership group in Microsoft Entra ID.

By implementing dynamic membership rules, admins can ensure that groups remain populated, effectively minimizing the clutter and inefficiency caused by empty groups.

AdminDroid Azure AD ReporterAudit empty groups in Microsoft Entra ID to keep your M365 environment organized

AdminDroid's Microsoft 365 group auditing tool offers detailed insights into various group-related activities like Microsoft 365 group creations, modifications, deletions, group setting changes, and more. With these comprehensive insights, you can effortlessly monitor Microsoft 365 empty groups to reduce unnecessary clutter and maintain efficient resource management.

A Quick Summary

Track Empty Group Creations in Microsoft 365

Monitor Microsoft 365 group creations to investigate and delete unwanted empty groups created, ensuring that only relevant groups remain in your organization.

Find Inactive Empty Groups in Microsoft Entra ID

Track last active time of Microsoft 365 groups to find inactive empty groups and delete them if they are no longer required.

Get Instant Alerts on Empty Group Deletion with AdminDroid

Receive real-time notifications with AdminDroid's alerting whenever an empty group is deleted. This helps to take timely investigation to avoid unwanted deletions.

Proactively Monitor Microsoft 365 Group Membership Changes

Keep track of Microsoft 365 group membership changes to find any unauthorized bulk deletion of group members happened and the group was emptied.

Monitor Deleted Empty Groups Report in Microsoft Entra ID

Regularly review deleted groups in Microsoft 365 to identify unauthorized bulk deletions that may have emptied the group.

Group Dashboard for Visualizing Empty Groups

With AdminDroid's Microsoft 365 group dashboard, visualize empty groups and maintain a well-organized directory.

In conclusion, AdminDroid's Azure AD management tool offers an effective solution for identifying and managing empty groups. With its comprehensive reports, you can effortlessly maintain a clean directory, streamline group management, and enhance overall organizational efficiency.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps while Tracking Empty Groups in Microsoft Entra ID

The following are the possible errors and troubleshooting hints while managing Microsoft Entra ID empty groups.

Error: Get-MgGroup : Insufficient privileges to complete the operation. Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied.

This error occurs when the 'Connect-MgGraph' cmdlet is executed without specifying the required scopes.

Troubleshooting hint :Define the necessary scopes when connecting to the Microsoft Graph PowerShell module.

Connect-MgGraph –Scopes Group.Read.All

Error: Failed to create group. Dynamic membership rule validation error: Invalid operator.

This error occurs when you try to create a dynamic membership group in Microsoft 365 with an invalid operator.

Troubleshooting hint :To resolve this error, review the dynamic membership rule and replace any invalid operators with the correct ones.

Error: Insufficient privileges to delete some or all of the selected groups.

This error occurs in the Microsoft Entra admin center when attempting to delete an empty group without the required admin permissions.

Troubleshooting hint :Ensure you have sufficient permissions. Read-only roles cannot delete groups. You must have Global Admin or Group Admin rights to delete an empty group.

Error: File D:\M365GroupReport.ps1 cannot be loaded because running scripts is disabled on this system.

This error occurs when you try to run the PowerShell script and the system's execution policy restricts running unsigned scripts.

Troubleshooting hint :To resolve this error, execute the below cmdlet to set the execution policy as Unrestricted before running the script.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Delivering Reports on Time

Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid’s Scheduling to your email anytime you need.

Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add intelligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.

Set It, Schedule It, See Results - Your Reports, Your Way, On Your Time!

Time Saving Automation Customization Intelligent Filtering

Give Just the Right Access to the Right People

Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.

Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.

Give Just the Right Access to the Right People

Align, Define, Simplify: AdminDroid's Granular Delegation

Smart Organizational Control Effortless M365 Management Simplified Access

Advanced Alerts at a Glance

Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.

Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.

AdminDroid Keeps You Always Vigilant, Never Vulnerable!

Proactive Protection Real-time Monitoring Security Intelligence Threat Detection

Merge the Required Data to One Place

Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.

This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.

Merge with Ease and Save as Views!

Custom Reporting Unique View Desired Columns Easy Data Interpretation

Insightful Charts and Exclusive Dashboards

Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.

With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.

Insightful Charts and Exclusive Dashboards

Explore Your Microsoft 365 Tenant in a Whole New Way!

Executive overviews Interactive insights Decision-making Data Visualization

Efficient Report Exporting for Microsoft 365

Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.

Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.

Efficient Report Exporting for Microsoft 365

Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!

Easy Export Seamless Downloading Data Control Manage Microsoft 365

How to Find Empty Groups in Microsoft Entra ID