Azure AD

How to Get Microsoft 365 Groups with Disabled Users

When offboarding users in Microsoft 365, their disabled accounts may still be associated with groups. This can allow active users to gain unintended access to sensitive group emails through delegated mailbox permissions, creating a compliance risk. No worries! This guide provides steps to identify groups with disabled users in Microsoft 365 and keep your group management secure and compliant.

Using PowerShell Script

Microsoft 365 Permission Required

Reports Reader Least Privilege

Global Admin Most Privilege

Connect to the Microsoft Graph PowerShell using the cmdlet below.

Windows PowerShell

 Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All"

Get all the Microsoft 365 groups with disabled users using the below PowerShell script.

Windows PowerShell

 $disabledUsers = Get-MgUser -All -Filter "accountEnabled eq false"
$allGroups = Get-MgGroup -All
$results = @()
$allGroups | ForEach-Object {
    $group = $_
    $groupMembers = Get-MgGroupMember -GroupId $group.Id
    $disabledMembers = $disabledUsers | Where-Object { $groupMembers.Id -contains $_.Id }
    if ($disabledMembers.Count -gt 0) {
        foreach ($member in $disabledMembers) {
            $results += [pscustomobject]@{
                "Group Name"          = $group.DisplayName
                "Group Mail"          = $group.Mail
                "Disabled User Name"  = $member.DisplayName
                "User Principal Name" = $member.UserPrincipalName
            }
        }
    }
}
$results | Format-Table

This PowerShell script retrieves all groups with disabled members in Microsoft 365. It lists the names and user principal names (UPNs) of the disabled users in each group.

Using AdminDroid
Simple & Quick

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Log in to the AdminDroid Office 365 reporter.
Navigate to the Group with Sign-in Disabled Members report under Reports»Azure AD»Group Reports»Group with Disabled Users.

Find all disabled users in Microsoft 365 groups with comprehensive details, such as their admin roles, user type, license status, disabled accounts with weak passwords, and much more with this report.

AdminDroid Group Membership Reporting

Pinpoint groups with disabled users in M365 to reduce overhead in group management!

AdminDroid's Microsoft 365 Entra ID reporting tool provides precise information about the Microsoft 365 groups, including members & owners who are disabled and their respective details. It also provides information on all group memberships in Microsoft 365, usage, empty groups, storage trends, and much more to ease your work in overall group management.

Instant Alerts to Prevent Compromised Accounts in M365 Groups

Use AdminDroid's built-in blocking users' sign-ins alert policy template🔔 to receive instant notifications whenever a user is disabled, preventing them from being added to any groups.

Monitor Forwarding Rules of Disabled Users' Mailboxes in EXO

Track the mail forwarding summary report to identify disabled users who have set up forwarding mail and prevent Microsoft 365 group emails from being sent to unwanted users.

Secure Group Data by Disabling Suspicious User Accounts

Audit Microsoft 365 users' failed logins to disable and remove those with multiple attempts from all groups, protecting data from security breaches and unauthorized access.

Track Disabled User Licenses for Better License Management

Keep an eye on the license assigned to sign-in disabled users and reassign them to active users for optimal license utilization.

Identify Impact of Disabled Owners' Activities in Microsoft 365 Groups

Utilize the user activities trend dashboard to track the past group administration activities of disabled users and assess their impact on group memberships and settings.

Export Disabled Group Owners Report in Multiple Formats

Export Microsoft 365 groups with disabled owners report in various formats like PDF, CSV, etc., allowing you to address ownership gaps to maintain compliance and secure access.

Uncover all details related to the groups with AdminDroid’s Microsoft 365 Azure AD management tool. It delivers valuable insights like disabled owners, hidden memberships, etc., across various group types within your Office 365 environment, including Microsoft 365 groups, distribution groups, security groups, and more.

Explore a full range of reporting options

Download Live Demo

Important Tips

Assign Entra ID group-based licenses to users instead of direct licenses to ensure licenses are automatically revoked when disabled users are removed from the group.

Ensure disabled users are removed from M365 groups by following Office 365 offboarding practices to minimize exposure to security threats.

Regularly audit sign-in re-enabled users to identify users who regained access to Microsoft 365 groups due to unauthorized reactivation of accounts.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints when checking the group membership of disabled users.

Error Get-MgUser : Authentication needed. Please call Connect-MgGraph.

This error occurs in PowerShell when you try to get Azure AD users through before connecting to the Microsoft Graph module.

Fix To overcome this error, install and connect to the Microsoft Graph module before running the cmdlet.

//Run the below cmdlet to install the Microsoft Graph module.
Install-Module Microsoft.Graph
//Execute below command to connect to the Microsoft Graph.
Connect-MgGraph

Error Get-MgUser : Insufficient privileges to complete the operation.

This error occurs in PowerShell when you execute the 'Get-MgUser' cmdlet without the necessary permissions.

Fix Connect to Microsoft Graph with appropriate permissions.

Connect-MgGraph -Scope "User.Read.All", "Group.Read.All"

Error Needs permission to access resources in your organization that only an admin can grant.

This error may occur when you try to run the script with an account that lacks the necessary admin permissions to access the user details.

Fix Ensure that your account has appropriate permission to access the users' details in Microsoft 365.

Azure AD

Frequently Asked Questions

Locate Disabled Users in Microsoft 365 Groups to Minimize Sensitive Data Leakages

Why should admins remove disabled users from groups in Microsoft 365?

How to identify disabled users’ group membership in Microsoft 365?

How to remove disabled users from the Microsoft 365 groups?

How to identify Microsoft 365 groups with disabled owners?

1. Why should admins remove disabled users from groups in Microsoft 365?

When a disabled user remains in Microsoft 365 groups, it can create several discomforts and burdens for admins, especially from a security and management perspective.

Removing disabled users from M365 groups helps prevent the challenges below.

Security Risks: If a disabled account is re-enabled without proper review, the user might regain access to group resources, files, or systems. This could result in unauthorized access to the Microsoft 365 groups they are part of.
Audit Challenges: During Microsoft 365 audit, disabled users in active groups can complicate the access management process. It requires manual identification and removal of disabled users from all Microsoft 365 groups, which becomes time-consuming in larger organizations.
Administrative Challenges: If a disabled user is the sole owner of a Microsoft 365 group, it might delay decision-making processes. This can disrupt group administration, especially if the disabled user is responsible for adding/removing members or approving access requests.
Compliance and Legal Implications: Delegate users of disabled accounts might inadvertently access sensitive data in group mailboxes, violating data privacy regulations, such as GDPR or HIPAA. This is why many organizations enforce strict policies for deprovisioning users once they are no longer active. Failing to remove disabled users from groups can therefore lead to sensitive data breaches and legal complications.
Communication and Collaboration Issues: Disabled users in distribution lists may still receive group emails. This could be problematic, especially if their account is re-enabled following a compromise.
License Management: Group in Microsoft 365 are often tied to group-based licensing. In such cases, keeping disabled users in groups might result in unnecessary license consumption, leading to increased licensing costs.

By addressing these issues, you can maintain a secure, efficient, and compliant Microsoft 365 environment. This ensures that only sign-in allowed Microsoft 365 users have appropriate access and control over resources.

2. How to identify disabled users’ group membership in Microsoft 365?

When a compromised Microsoft 365 user account is disabled, identifying and removing the sign-in blocked user from all groups is critical to prevent any security risks. Manually checking each group to identify the user’s memberships won’t be efficient. Instead, follow the below steps to quickly find disabled users and remove their Microsoft 365 group membership by PowerShell.

Check group membership of disabled users using PowerShell

Connect to the Microsoft Graph PowerShell using the cmdlet below.
```
Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All"
```
To find a disabled user's group membership, you must first determine the user's identity. You can do this by executing the cmdlet below to get details of all disabled users in your M365 environment.
```
Get-MgUser -All -Filter "accountEnabled eq false" | ft
```

To get the disabled user's group membership, execute the cmdlet below, replacing <DisabledUserID/UPN> with the ID or UPN of the sign-in blocked user.

Get-MgUserMemberOf -UserId <DisabledUserId/UPN> | 
Select-Object -ExpandProperty AdditionalProperties | 
Select-Object @{Name = 'GroupName'; Expression = { $_["displayName"] }}

disabled-user-group-membership-powershell

Handy Tip: Run the below PowerShell script as follows to identify all disabled users in Microsoft 365 and their group memberships.

.\UserMembershipReport.ps1 -DisabledUsersOnly

UserMembershipReport.ps1

3. How to remove disabled users from the Microsoft 365 groups?

Disabled users in Microsoft 365 groups can create unnecessary clutter, making group management more complex and harder to maintain. To minimize these overhead, it’s essential to check and remove disabled users from groups regularly. This proactive approach helps maintain compliant, smooth, and secure group management.

Remove disabled users from groups using the M365 admin center

Navigate to the Active users in the Microsoft 365 admin center.
Click Filter and choose Sign-in blocked to filter the page to show only the disabled users. (If you can't see the Filter option, select it from the ellipses(...) located in the top right corner.)
Click on the disabled users and choose Manage groups under the Groups section in the Account tab.
Select the groups and choose Remove. Then click Yes on the confirmation page to remove the user from the groups.

Stay vigilant against the group membership of disabled users with AdminDroid's reporting capabilities!

The All Users Group Membership report provides detailed insights into group memberships of Microsoft 365 users, including their sign-in status, group type, department, job title, external user status, and more.
This allows you to easily identify sign-in denied users who need to be removed from Microsoft 365 groups, thereby improving overall security.

4. How to identify Microsoft 365 groups with disabled owners?

If a group owner becomes disabled, it can lead to significant administrative issues, such as the inability to manage or monitor group members, track group settings, or oversee changes to group permissions. Identifying groups with disabled owners in Microsoft 365 helps to prevent these challenges by allowing immediate reassignment of ownership for uninterrupted administration.

Identify Microsoft 365 groups with disabled owners using PowerShell

Connect to the Microsoft Graph PowerShell.

Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All"

Run the following script to get all the groups with disabled owners in Microsoft 365.

$Groups = Get-MgGroup -All
$GroupsWithDisabledOwners = @()
foreach ($Group in $Groups) {
    $Owners = Get-MgGroupOwner -GroupId $Group.Id
    foreach ($Owner in $Owners) {
        $OwnerDetails = Get-MgUser -UserId $Owner.Id -Property DisplayName, Mail, AccountEnabled, UserPrincipalName
        if ($OwnerDetails.AccountEnabled -eq $false) {
            $GroupsWithDisabledOwners += [PSCustomObject]@{
                "Group Name" = $Group.DisplayName
                "Group Mail" = $Group.Mail
                "Disabled Owner" = $OwnerDetails.DisplayName
                "Disabled Owner Mail" = $OwnerDetails.UserPrincipalName
            }
        }
    }
}
$GroupsWithDisabledOwners | Format-Table -AutoSize

m365-groups-with-disabled-owners-powershell

The execution of the script may take time depending on the number of groups in your organization.

Gain instant insights into disabled owners in Microsoft 365 Groups with just a few clicks!

The Groups with Sign-in Disabled Owners report in AdminDroid provides a straightforward way to identify all groups with disabled owners in Microsoft 365.
It helps you check if there are other active owners with sign-in privileges in those groups to manage them; if not, you can reassign ownership to another active user.