🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Azure AD

How to Get Microsoft 365 Groups with Disabled Users

When offboarding users in Microsoft 365, their disabled accounts may still be associated with groups. This can allow active users to gain unintended access to sensitive group emails through delegated mailbox permissions, creating a compliance risk. No worries! This guide provides steps to identify groups with disabled users in Microsoft 365 and keep your group management secure and compliant.

Using PowerShell Script

Microsoft 365 Permission Required
Reports Reader Least Privilege
Global Admin Most Privilege
  • Connect to the Microsoft Graph PowerShell using the cmdlet below.
  • Windows PowerShell Windows PowerShell
     Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All"
  • Get all the Microsoft 365 groups with disabled users using the below PowerShell script.
  • Windows PowerShell Windows PowerShell
     $disabledUsers = Get-MgUser -All -Filter "accountEnabled eq false"
    $allGroups = Get-MgGroup -All
    $results = @()
    $allGroups | ForEach-Object {
        $group = $_
        $groupMembers = Get-MgGroupMember -GroupId $group.Id
        $disabledMembers = $disabledUsers | Where-Object { $groupMembers.Id -contains $_.Id }
        if ($disabledMembers.Count -gt 0) {
            foreach ($member in $disabledMembers) {
                $results += [pscustomobject]@{
                    "Group Name"          = $group.DisplayName
                    "Group Mail"          = $group.Mail
                    "Disabled User Name"  = $member.DisplayName
                    "User Principal Name" = $member.UserPrincipalName
                }
            }
        }
    }
    $results | Format-Table
Using PowerShell Script
  • This PowerShell script retrieves all groups with disabled members in Microsoft 365. It lists the names and user principal names (UPNs) of the disabled users in each group.

Pinpoint groups with disabled users in M365 to reduce overhead in group management!

AdminDroid's Microsoft 365 Entra ID reporting tool provides precise information about the Microsoft 365 groups, including members & owners who are disabled and their respective details. It also provides information on all group memberships in Microsoft 365, usage, empty groups, storage trends, and much more to ease your work in overall group management.

Instant Alerts to Prevent Compromised Accounts in M365 Groups

Use AdminDroid's built-in blocking users' sign-ins alert policy template🔔 to receive instant notifications whenever a user is disabled, preventing them from being added to any groups.

Monitor Forwarding Rules of Disabled Users' Mailboxes in EXO

Track the mail forwarding summary report to identify disabled users who have set up forwarding mail and prevent Microsoft 365 group emails from being sent to unwanted users.

Secure Group Data by Disabling Suspicious User Accounts

Audit Microsoft 365 users' failed logins to disable and remove those with multiple attempts from all groups, protecting data from security breaches and unauthorized access.

Track Disabled User Licenses for Better License Management

Keep an eye on the license assigned to sign-in disabled users and reassign them to active users for optimal license utilization.

Identify Impact of Disabled Owners' Activities in Microsoft 365 Groups

Utilize the user activities trend dashboard to track the past group administration activities of disabled users and assess their impact on group memberships and settings.

Export Disabled Group Owners Report in Multiple Formats

Export Microsoft 365 groups with disabled owners report in various formats like PDF, CSV, etc., allowing you to address ownership gaps to maintain compliance and secure access.

Uncover all details related to the groups with AdminDroid’s Microsoft 365 Azure AD management tool. It delivers valuable insights like disabled owners, hidden memberships, etc., across various group types within your Office 365 environment, including Microsoft 365 groups, distribution groups, security groups, and more.

Explore a full range of reporting options

Important Tips

Assign Entra ID group-based licenses to users instead of direct licenses to ensure licenses are automatically revoked when disabled users are removed from the group.

Ensure disabled users are removed from M365 groups by following Office 365 offboarding practices to minimize exposure to security threats.

Regularly audit sign-in re-enabled users to identify users who regained access to Microsoft 365 groups due to unauthorized reactivation of accounts.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints when checking the group membership of disabled users.

Error Get-MgUser : Authentication needed. Please call Connect-MgGraph.

This error occurs in PowerShell when you try to get Azure AD users through before connecting to the Microsoft Graph module.

Fix To overcome this error, install and connect to the Microsoft Graph module before running the cmdlet.
//Run the below cmdlet to install the Microsoft Graph module.
Install-Module Microsoft.Graph
//Execute below command to connect to the Microsoft Graph.
Connect-MgGraph

Error Get-MgUser : Insufficient privileges to complete the operation.

This error occurs in PowerShell when you execute the 'Get-MgUser' cmdlet without the necessary permissions.

Fix Connect to Microsoft Graph with appropriate permissions.
Connect-MgGraph -Scope "User.Read.All", "Group.Read.All"

Error Needs permission to access resources in your organization that only an admin can grant.

This error may occur when you try to run the script with an account that lacks the necessary admin permissions to access the user details.

Fix Ensure that your account has appropriate permission to access the users' details in Microsoft 365.

Frequently Asked Questions

Locate Disabled Users in Microsoft 365 Groups to Minimize Sensitive Data Leakages

Why should admins remove disabled users from groups in Microsoft 365?

Why should admins remove disabled users from groups in Microsoft 365? +

When a disabled user remains in Microsoft 365 groups, it can create several discomforts and burdens for admins, especially from a security and management perspective.

Removing disabled users from M365 groups helps prevent the challenges below.

  • Security Risks: If a disabled account is re-enabled without proper review, the user might regain access to group resources, files, or systems. This could result in unauthorized access to the Microsoft 365 groups they are part of.
  • Audit Challenges: During Microsoft 365 audit, disabled users in active groups can complicate the access management process. It requires manual identification and removal of disabled users from all Microsoft 365 groups, which becomes time-consuming in larger organizations.
  • Administrative Challenges: If a disabled user is the sole owner of a Microsoft 365 group, it might delay decision-making processes. This can disrupt group administration, especially if the disabled user is responsible for adding/removing members or approving access requests.
  • Compliance and Legal Implications: Delegate users of disabled accounts might inadvertently access sensitive data in group mailboxes, violating data privacy regulations, such as GDPR or HIPAA. This is why many organizations enforce strict policies for deprovisioning users once they are no longer active. Failing to remove disabled users from groups can therefore lead to sensitive data breaches and legal complications.
  • Communication and Collaboration Issues: Disabled users in distribution lists may still receive group emails. This could be problematic, especially if their account is re-enabled following a compromise.
  • License Management: Group in Microsoft 365 are often tied to group-based licensing. In such cases, keeping disabled users in groups might result in unnecessary license consumption, leading to increased licensing costs.

By addressing these issues, you can maintain a secure, efficient, and compliant Microsoft 365 environment. This ensures that only sign-in allowed Microsoft 365 users have appropriate access and control over resources.

How to identify disabled users’ group membership in Microsoft 365?

How to identify disabled users’ group membership in Microsoft 365? +

When a compromised Microsoft 365 user account is disabled, identifying and removing the sign-in blocked user from all groups is critical to prevent any security risks. Manually checking each group to identify the user’s memberships won’t be efficient. Instead, follow the below steps to quickly find disabled users and remove their Microsoft 365 group membership by PowerShell.

Check group membership of disabled users using PowerShell

  • Connect to the Microsoft Graph PowerShell using the cmdlet below.
    Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All"
  • To find a disabled user's group membership, you must first determine the user's identity. You can do this by executing the cmdlet below to get details of all disabled users in your M365 environment.
    Get-MgUser -All -Filter "accountEnabled eq false" | ft
    
    disabled-users-id-powershell
  • To get the disabled user's group membership, execute the cmdlet below, replacing <DisabledUserID/UPN> with the ID or UPN of the sign-in blocked user.
    Get-MgUserMemberOf -UserId <DisabledUserId/UPN> | 
    Select-Object -ExpandProperty AdditionalProperties | 
    Select-Object @{Name = 'GroupName'; Expression = { $_["displayName"] }}
    
    disabled-user-group-membership-powershell

Handy Tip: Run the below PowerShell script as follows to identify all disabled users in Microsoft 365 and their group memberships.

.\UserMembershipReport.ps1 -DisabledUsersOnly

UserMembershipReport.ps1

How to remove disabled users from the Microsoft 365 groups?

How to remove disabled users from the Microsoft 365 groups? +

Disabled users in Microsoft 365 groups can create unnecessary clutter, making group management more complex and harder to maintain. To minimize these overhead, it’s essential to check and remove disabled users from groups regularly. This proactive approach helps maintain compliant, smooth, and secure group management.

Remove disabled users from groups using the M365 admin center

  • Navigate to the Active users in the Microsoft 365 admin center.
  • Click Filter and choose Sign-in blocked to filter the page to show only the disabled users. (If you can't see the Filter option, select it from the ellipses(...) located in the top right corner.)
  • Click on the disabled users and choose Manage groups under the Groups section in the Account tab.
  • Select the groups and choose Remove. Then click Yes on the confirmation page to remove the user from the groups.
remove-disabled-users-from-groups

Stay vigilant against the group membership of disabled users with AdminDroid's reporting capabilities!

  • The All Users Group Membership report provides detailed insights into group memberships of Microsoft 365 users, including their sign-in status, group type, department, job title, external user status, and more.
  • This allows you to easily identify sign-in denied users who need to be removed from Microsoft 365 groups, thereby improving overall security.
disabled-users-group-membership

How to identify Microsoft 365 groups with disabled owners?

How to identify Microsoft 365 groups with disabled owners? +

If a group owner becomes disabled, it can lead to significant administrative issues, such as the inability to manage or monitor group members, track group settings, or oversee changes to group permissions. Identifying groups with disabled owners in Microsoft 365 helps to prevent these challenges by allowing immediate reassignment of ownership for uninterrupted administration.

Identify Microsoft 365 groups with disabled owners using PowerShell

  • Connect to the Microsoft Graph PowerShell.
    Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All"
  • Run the following script to get all the groups with disabled owners in Microsoft 365.
    $Groups = Get-MgGroup -All
    $GroupsWithDisabledOwners = @()
    foreach ($Group in $Groups) {
        $Owners = Get-MgGroupOwner -GroupId $Group.Id
        foreach ($Owner in $Owners) {
            $OwnerDetails = Get-MgUser -UserId $Owner.Id -Property DisplayName, Mail, AccountEnabled, UserPrincipalName
            if ($OwnerDetails.AccountEnabled -eq $false) {
                $GroupsWithDisabledOwners += [PSCustomObject]@{
                    "Group Name" = $Group.DisplayName
                    "Group Mail" = $Group.Mail
                    "Disabled Owner" = $OwnerDetails.DisplayName
                    "Disabled Owner Mail" = $OwnerDetails.UserPrincipalName
                }
            }
        }
    }
    $GroupsWithDisabledOwners | Format-Table -AutoSize
    
m365-groups-with-disabled-owners-powershell

The execution of the script may take time depending on the number of groups in your organization.

Gain instant insights into disabled owners in Microsoft 365 Groups with just a few clicks!

  • The Groups with Sign-in Disabled Owners report in AdminDroid provides a straightforward way to identify all groups with disabled owners in Microsoft 365.
  • It helps you check if there are other active owners with sign-in privileges in those groups to manage them; if not, you can reassign ownership to another active user.
disabled-users-group-ownership-droid
+

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
User Help Manuals Compliance Docs
x
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!