Track Groups with Disabled Users in M365

Native Solution

Microsoft 365 Permission Required

High

Least Privilege

Reports Reader

Most Privilege

Global Admin

Option 1 Using PowerShell Script

Connect to the Microsoft Graph PowerShell using the cmdlet below.

Windows PowerShell

 Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All"

Get all the Microsoft 365 groups with disabled users using the below PowerShell script.

Windows PowerShell

 $disabledUsers = Get-MgUser -All -Filter "accountEnabled eq false"
$allGroups = Get-MgGroup -All
$results = @()
$allGroups | ForEach-Object {
    $group = $_
    $groupMembers = Get-MgGroupMember -GroupId $group.Id
    $disabledMembers = $disabledUsers | Where-Object { $groupMembers.Id -contains $_.Id }
    if ($disabledMembers.Count -gt 0) {
        foreach ($member in $disabledMembers) {
            $results += [pscustomobject]@{
                "Group Name"          = $group.DisplayName
                "Group Mail"          = $group.Mail
                "Disabled User Name"  = $member.DisplayName
                "User Principal Name" = $member.UserPrincipalName
            }
        }
    }
}
$results | Format-Table

This PowerShell script retrieves all groups with disabled members in Microsoft 365. It lists the names and user principal names (UPNs) of the disabled users in each group.

AdminDroid Solution

This report and over 150+ reports are under free editionFREE

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

Log in to the AdminDroid Office 365 reporter.
Navigate to the Group with Sign-in Disabled Members report under Reports»Azure AD»Group Reports»Group with Disabled Users.

Find all disabled users in Microsoft 365 groups with comprehensive details, such as their admin roles, user type, license status, disabled accounts with weak passwords, and much more with this report.

Leverage AdminDroid's customizable charts to pinpoint disabled users with licenses, allowing you to revoke licenses and optimize license management efficiently.

Explore a full range of reporting options

Identify Disabled Users in Microsoft 365 Groups!

Use AdminDroid's Microsoft 365 groups reporting tool to detect disabled users in groups! Efficiently remove their access permissions from Entra ID groups and ensure sensitive data is safe.

Witness the report in action using the

Live Demo

Important Tips

Assign Entra ID group-based licenses to users instead of direct licenses to ensure licenses are automatically revoked when disabled users are removed from the group.

Ensure disabled users are removed from M365 groups by following Office 365 offboarding practices to minimize exposure to security threats.

Regularly audit sign-in re-enabled users to identify users who regained access to Microsoft 365 groups due to unauthorized reactivation of accounts.

Azure ADLocate Disabled Users in Microsoft 365 Groups to Minimize Sensitive Data Leakages

Showing 1 of 4

Why should admins remove disabled users from groups in Microsoft 365? How to identify disabled users’ group membership in Microsoft 365? How to remove disabled users from the Microsoft 365 groups? How to identify Microsoft 365 groups with disabled owners?

Why should admins remove disabled users from groups in Microsoft 365?

When a disabled user remains in Microsoft 365 groups, it can create several discomforts and burdens for admins, especially from a security and management perspective.

Removing disabled users from M365 groups helps prevent the challenges below.

Security Risks: If a disabled account is re-enabled without proper review, the user might regain access to group resources, files, or systems. This could result in unauthorized access to the Microsoft 365 groups they are part of.
Audit Challenges: During Microsoft 365 audit, disabled users in active groups can complicate the access management process. It requires manual identification and removal of disabled users from all Microsoft 365 groups, which becomes time-consuming in larger organizations.
Administrative Challenges: If a disabled user is the sole owner of a Microsoft 365 group, it might delay decision-making processes. This can disrupt group administration, especially if the disabled user is responsible for adding/removing members or approving access requests.
Compliance and Legal Implications: Delegate users of disabled accounts might inadvertently access sensitive data in group mailboxes, violating data privacy regulations, such as GDPR or HIPAA. This is why many organizations enforce strict policies for deprovisioning users once they are no longer active. Failing to remove disabled users from groups can therefore lead to sensitive data breaches and legal complications.
Communication and Collaboration Issues: Disabled users in distribution lists may still receive group emails. This could be problematic, especially if their account is re-enabled following a compromise.
License Management: Group in Microsoft 365 are often tied to group-based licensing. In such cases, keeping disabled users in groups might result in unnecessary license consumption, leading to increased licensing costs.

By addressing these issues, you can maintain a secure, efficient, and compliant Microsoft 365 environment. This ensures that only sign-in allowed Microsoft 365 users have appropriate access and control over resources.

How to identify disabled users’ group membership in Microsoft 365?

When a compromised Microsoft 365 user account is disabled, identifying and removing the sign-in blocked user from all groups is critical to prevent any security risks. Manually checking each group to identify the user’s memberships won’t be efficient. Instead, follow the below steps to quickly find disabled users and remove their Microsoft 365 group membership by PowerShell.

Check group membership of disabled users using PowerShell

Connect to the Microsoft Graph PowerShell using the cmdlet below.
```
Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All"
```
To find a disabled user's group membership, you must first determine the user's identity. You can do this by executing the cmdlet below to get details of all disabled users in your M365 environment.
```
Get-MgUser -All -Filter "accountEnabled eq false" | ft
```

To get the disabled user's group membership, execute the cmdlet below, replacing <DisabledUserID/UPN> with the ID or UPN of the sign-in blocked user.

Get-MgUserMemberOf -UserId <DisabledUserId/UPN> | 
Select-Object -ExpandProperty AdditionalProperties | 
Select-Object @{Name = 'GroupName'; Expression = { $_["displayName"] }}

disabled-user-group-membership-powershell

Handy Tip: Run the below PowerShell script as follows to identify all disabled users in Microsoft 365 and their group memberships.

.\UserMembershipReport.ps1 -DisabledUsersOnly

UserMembershipReport.ps1

How to remove disabled users from the Microsoft 365 groups?

Disabled users in Microsoft 365 groups can create unnecessary clutter, making group management more complex and harder to maintain. To minimize these overhead, it’s essential to check and remove disabled users from groups regularly. This proactive approach helps maintain compliant, smooth, and secure group management.

Remove disabled users from groups using the M365 admin center

Navigate to the Active users in the Microsoft 365 admin center.
Click Filter and choose Sign-in blocked to filter the page to show only the disabled users. (If you can't see the Filter option, select it from the ellipses(...) located in the top right corner.)
Click on the disabled users and choose Manage groups under the Groups section in the Account tab.
Select the groups and choose Remove. Then click Yes on the confirmation page to remove the user from the groups.

Stay vigilant against the group membership of disabled users with AdminDroid's reporting capabilities!

The All Users Group Membership report provides detailed insights into group memberships of Microsoft 365 users, including their sign-in status, group type, department, job title, external user status, and more.
This allows you to easily identify sign-in denied users who need to be removed from Microsoft 365 groups, thereby improving overall security.

How to identify Microsoft 365 groups with disabled owners?

If a group owner becomes disabled, it can lead to significant administrative issues, such as the inability to manage or monitor group members, track group settings, or oversee changes to group permissions. Identifying groups with disabled owners in Microsoft 365 helps to prevent these challenges by allowing immediate reassignment of ownership for uninterrupted administration.

Identify Microsoft 365 groups with disabled owners using PowerShell

Connect to the Microsoft Graph PowerShell.

Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All"

Run the following script to get all the groups with disabled owners in Microsoft 365.

$Groups = Get-MgGroup -All
$GroupsWithDisabledOwners = @()
foreach ($Group in $Groups) {
    $Owners = Get-MgGroupOwner -GroupId $Group.Id
    foreach ($Owner in $Owners) {
        $OwnerDetails = Get-MgUser -UserId $Owner.Id -Property DisplayName, Mail, AccountEnabled, UserPrincipalName
        if ($OwnerDetails.AccountEnabled -eq $false) {
            $GroupsWithDisabledOwners += [PSCustomObject]@{
                "Group Name" = $Group.DisplayName
                "Group Mail" = $Group.Mail
                "Disabled Owner" = $OwnerDetails.DisplayName
                "Disabled Owner Mail" = $OwnerDetails.UserPrincipalName
            }
        }
    }
}
$GroupsWithDisabledOwners | Format-Table -AutoSize

m365-groups-with-disabled-owners-powershell

The execution of the script may take time depending on the number of groups in your organization.

Gain instant insights into disabled owners in Microsoft 365 Groups with just a few clicks!

The Groups with Sign-in Disabled Owners report in AdminDroid provides a straightforward way to identify all groups with disabled owners in Microsoft 365.
It helps you check if there are other active owners with sign-in privileges in those groups to manage them; if not, you can reassign ownership to another active user.

AdminDroid Group Membership ReportingPinpoint groups with disabled users in M365 to reduce overhead in group management!

AdminDroid's Microsoft 365 Entra ID reporting tool provides precise information about the Microsoft 365 groups, including members & owners who are disabled and their respective details. It also provides information on all group memberships in Microsoft 365, usage, empty groups, storage trends, and much more to ease your work in overall group management.

A Quick Summary

Instant Alerts to Prevent Compromised Accounts in M365 Groups

Use AdminDroid's built-in blocking users' sign-ins alert policy template🔔 to receive instant notifications whenever a user is disabled, preventing them from being added to any groups.

Monitor Forwarding Rules of Disabled Users' Mailboxes in EXO

Track the mail forwarding summary report to identify disabled users who have set up forwarding mail and prevent Microsoft 365 group emails from being sent to unwanted users.

Secure Group Data by Disabling Suspicious User Accounts

Audit Microsoft 365 users' failed logins to disable and remove those with multiple attempts from all groups, protecting data from security breaches and unauthorized access.

Track Disabled User Licenses for Better License Management

Keep an eye on the license assigned to sign-in disabled users and reassign them to active users for optimal license utilization.

Identify Impact of Disabled Owners' Activities in Microsoft 365 Groups

Utilize the user activities trend dashboard to track the past group administration activities of disabled users and assess their impact on group memberships and settings.

Export Disabled Group Owners Report in Multiple Formats

Export Microsoft 365 groups with disabled owners report in various formats like PDF, CSV, etc., allowing you to address ownership gaps to maintain compliance and secure access.

Uncover all details related to the groups with AdminDroid’s Microsoft 365 Azure AD management tool. It delivers valuable insights like disabled owners, hidden memberships, etc., across various group types within your Office 365 environment, including Microsoft 365 groups, distribution groups, security groups, and more.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps When Tracking Disabled Users in Microsoft 365 Groups

The following are the possible errors and troubleshooting hints when checking the group membership of disabled users.

Error: Get-MgUser : Authentication needed. Please call Connect-MgGraph.

This error occurs in PowerShell when you try to get Azure AD users through before connecting to the Microsoft Graph module.

Troubleshooting hint :To overcome this error, install and connect to the Microsoft Graph module before running the cmdlet.

//Run the below cmdlet to install the Microsoft Graph module.
Install-Module Microsoft.Graph
//Execute below command to connect to the Microsoft Graph.
Connect-MgGraph

Error: Get-MgUser : Insufficient privileges to complete the operation.

This error occurs in PowerShell when you execute the 'Get-MgUser' cmdlet without the necessary permissions.

Troubleshooting hint :Connect to Microsoft Graph with appropriate permissions.

Connect-MgGraph -Scope "User.Read.All", "Group.Read.All"

Error: Needs permission to access resources in your organization that only an admin can grant.

This error may occur when you try to run the script with an account that lacks the necessary admin permissions to access the user details.

Troubleshooting hint :Ensure that your account has appropriate permission to access the users' details in Microsoft 365.

Delivering Reports on Time

Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid’s Scheduling to your email anytime you need.

Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add intelligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.

Set It, Schedule It, See Results - Your Reports, Your Way, On Your Time!

Time Saving Automation Customization Intelligent Filtering

Give Just the Right Access to the Right People

Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.

Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.

Give Just the Right Access to the Right People

Align, Define, Simplify: AdminDroid's Granular Delegation

Smart Organizational Control Effortless M365 Management Simplified Access

Advanced Alerts at a Glance

Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.

Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.

AdminDroid Keeps You Always Vigilant, Never Vulnerable!

Proactive Protection Real-time Monitoring Security Intelligence Threat Detection

Merge the Required Data to One Place

Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.

This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.

Merge with Ease and Save as Views!

Custom Reporting Unique View Desired Columns Easy Data Interpretation

Insightful Charts and Exclusive Dashboards

Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.

With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.

Insightful Charts and Exclusive Dashboards

Explore Your Microsoft 365 Tenant in a Whole New Way!

Executive overviews Interactive insights Decision-making Data Visualization

Efficient Report Exporting for Microsoft 365

Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.

Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.

Efficient Report Exporting for Microsoft 365

Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!

Easy Export Seamless Downloading Data Control Manage Microsoft 365

How to Get Microsoft 365 Groups with Disabled Users