This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Export Azure AD Guest Users Report with Group Memberships

Are you concerned about the risk of leaking sensitive information in your organization because of adding guest users to Microsoft 365 groups? Now, safeguard your data by getting the guest users' membership report and revoke unnecessary guest access to ensure your organization’s security.

Native Solution

Microsoft 365 Permission Required


Global Admin or a User Admin.

Option 1 Using Microsoft 365 Admin Center

Using Microsoft 365 Admin Center
  • You can get the selected guest user's group membership in the Groups section as highlighted in the image above.

Option 2 Using Windows PowerShell

  • Connect to the Azure AD PowerShell.
  • Follow the below cmdlets to get the group memberships of Azure AD guest users.
  • Windows PowerShell Windows PowerShell

Option 3 Using PowerShell Script

  • As the above cmdlets cannot display the all guest users' group memberships in a single report, we have prepared a PowerShell script that can display the group memberships of all the guest users in your Microsoft 365 environment.
  • Download and run the following script in the Administrator PowerShell.
Using PowerShell Script
AdminDroid Solution
More than 150 reports are under free edition.

AdminDroid Permission Required

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

  • Login to the AdminDroid Office 365 portal.
  • Navigate to Reports»Security»External User Reports»Group Membership.
Using AdminDroid

Visualize the complete list of guest users’ group memberships along with their department, company, sign in status, location etc.

  • Take advantage of the built-in graphical representation capability to visually depict the number of guest users associated with each specific group.

Simple yet the best! Isn't it?

Revoke unnecessary guest user group membership before losing highly confidential data with the help of AdminDroid effectively!

Witness the report in action using the

Azure ADFind the Guest Users’ Group Memberships to Avoid Sensitive Data Loss in Microsoft 365

Showing 1 of 5

Why are guest users added to Microsoft 365 groups?

Guest users are often added to Microsoft 365 groups to facilitate collaboration with users inside your organization. It is useful for companies that frequently work with external contractors, partners, or clients. Here are some reasons why admins add guest users to a Microsoft 365 group:

  • Cross-Organization Collaboration: In scenarios where projects involve multiple organizations or external members, admins add guests to a Microsoft 365 group and ensure everyone can collaborate using the same set of resources like SharePoint, OneDrive, Microsoft Teams, etc.
  • Single Point of Access: Microsoft 365 groups provide a single point of access for resources like shared mailboxes, calendars, and document libraries. Adding guest users enables them to access these features just like internal users, but with controlled permissions.
  • Ease of Management: Having Microsoft 365 guest users in a single group makes it easier to manage their permissions and resource access centrally. It is beneficial for IT admins who need to keep track of external users' access to resources.
  • Security: Guest users are assigned a specific set of M365 permissions that should be carefully managed. This means that organizations can extend their resources to outside users while maintaining security controls. Access can be revoked or modified centrally at any time.
  • Real-Time Collaboration: Microsoft 365's cloud-based structure enables real-time co-authoring and communication. By adding guest users to groups, you can leverage these features for more effective and efficient teamwork in your organization.

What are the risks of external access in Microsoft 365 groups?

When more guest users are added to Office 365 groups, an admin must be aware of the following risks,

  • Unauthorized access: When guest users accounts are compromised or shared with unauthorized individuals, it could lead to potential data breaches from the respective Microsoft 365 groups.
  • Loss of sensitive information: If the organization has set up the most permissive sharing policies for SharePoint sites associated with Microsoft 365 groups having guest users, it may result in the loss of sensitive information.
  • Malware attacks: Guest users may accidentally open emails from Microsoft 365 group mailboxes that may contain malicious links.
  • Lack of Control: When files with Anyone links are shared with external users via groups, organizations have less control over how those files are accessed and used. Monitoring their activities and tracking the flow of information becomes challenging.

Allowing the sign-in status of guest users whenever not required might pose severe security risks!

Using AdminDroid, you can easily find the 'Sign-in status' of guest users in your organization and block access during prolonged inactivity.

  • To find the Sign-in status of guest users in your Office 365 environment, you can make use of the Sign-in status column from the Group Membership report.

How to monitor external user group membership in Office 365?

Exporting a regular report on guest users’ group membership is important for a secure working environment. So, monitor and revoke guest users' membership once it becomes unnecessary. You can get the complete details of which groups a guest user is a member of using the below ways:

  • Microsoft 365 Admin Center: To get the guest users’ group memberships, select the desired user from the Guest Users section under the Users tab.
  • Microsoft PowerShell: Run the PowerShell script to get the guest users’ membership report.

Since the Microsoft 365 admin center requires navigation to each guest user profile for viewing group memberships, it will be a time-consuming task. Also, there is no single PowerShell cmdlet to get Azure AD guest users’ and their group memberships.

With AdminDroid, you can monitor the Microsoft 365 guest group membership periodically and get it delivered into your email.

  • You can receive the group membership report of guest users in your mailbox periodically by clicking the Schedule this report now option.
  • You can also manage the created schedules from the Schedule Reports page in your AdminDroid portal.

How to manage guest access in Office 365 groups?

Follow the below ways and manage group membership of external users to stay away from data leakages.

  • Azure B2B Collaboration: Allow trusted external users and groups to be eligible for group membership in your organization by configuring Azure B2B collaboration settings from Azure Active Directory.
  • Sensitivity Labels: Use sensitivity labels for “Groups & sites” and label highly confidential groups so that members cannot add guests to those groups.
  • Review Guest User Access: To manage guest access reviews effectively, create Access Reviews and assign specific reviewers to review all groups with guest users using the scope 'All Microsoft 365 groups with guest users. With the help of the User to group affiliation' option, you can help the reviewers to deny a guest who has a low affiliation with other group members.
    • How to remove guests from the Microsoft 365 groups? To remove a guest whom the reviewer denies, select the “Remove user’s membership from the resource” option under the “Upon completion settings” section.
  • License Management: To optimize Office 365 license usage on guest users, avoid assigning group-based licenses to Microsoft 365 groups that have a significant number of guest users.

AdminDroid enables effortless monitoring of groups that are assigned with licenses and have a higher count of external users.

  • You can directly click on the Column Customization option to add the External Users Count column from the Group Details section.
  • Revoke license assignments for groups that have a higher number of guest users, thereby optimizing your licensing expenditure.

How to restrict guest access to a specific Microsoft 365 group?

Block even owners from adding guest users to Microsoft 365 groups!

Your Microsoft 365 environment may have specific groups containing sensitive information that should be only accessed by users within your organization. Since adding guest users to these groups might result in potential data breaches, it is crucial to configure Office 365 guest user limitations.

Run the below PowerShell cmdlet to block guests from being added to a specific Microsoft 365 group:

$GroupName = "<GroupName>"
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settingsCopy = $template.CreateDirectorySetting()
$groupID= (Get-AzureADGroup -SearchString $GroupName).ObjectId
New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $settingsCopy

Including guest users in highly confidential groups might be unnecessary as these groups are intended for internal users.

With AdminDroid, you can create an alert when a guest user is added to specific Microsoft 365 groups.

  • Follow the below steps to create an Alert by applying the filter for "Group Name" equal <Desired Group’s name>.

AdminDroid Group Membership ReportingStreamlining your Microsoft 365 guest users' management

AdminDroid's Microsoft 365 group membership reporting offers a comprehensive solution for Microsoft 365 admins, providing a user-friendly interface that allows you to easily view guest users with their group membership by minimal navigations.

Unique functionalities that AdminDroid provides you to get the external users’ memberships

External User Group Membership report under Reports»Security»External User Reports will assist you in the decision-making process related to group membership of guest users by giving complete information such as member display name, member domain, company, and sign-in status.

An Overview

Get Alerted on the Unusual Count of Guest User Membership

Create alert policies to generate alerts for any abnormal increase in the count of addition of guest users to a group occurring within a short period of time.

Entire Details of Guest Users' Membership Activity

Gain visibility into the individuals who add a guest user to a group and proactively prevent them from adding guest users who may result in undesirable group memberships.

Retrieve Complete Microsoft 365 Guest User Reports in One Section

Knock out the difficulties in searching reports related to external users. See the entire reports related to external users in a unified view from the Security section under ReportBoards.

Comprehensive Profile Summary of Guest Users in Groups

Merge the columns of “External User Group Membership” report with columns depicting user details to get a clear understanding of guest users’ profiles.

Customizable Report Export

Export the “External User Group Membership” report in various formats like HTML, PDF, CSV, XLS, and XLSX. Make your Power BI reporting easier using the RAW format.

Role-Based Access Delegation

Delegate the responsibility for monitoring guest's group membership reports to specific admins who require access using the Roles functionality.

Overall, AdminDroid provides you with a unified view of all the guest users’ group memberships. With the help of unique functionalities, you can overcome the difficulties in getting the data tailored to your requirement.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Common Errors and Resolution Steps for getting Microsoft 365 guest user memberships.

The following are the possible errors and troubleshooting hints while dealing with group memberships of guest users

Error: The term 'Get-AzureADUserMembership' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error will occur if the Azure AD module wasn't installed properly.

Troubleshooting hint :Install the Azure AD PowerShell module. If it is already installed, updating it could resolve the issue.

// Run the below cmdlet for installing it.
Install-Module AzureADPreview
// Run the below cmdlet for updating it.
Update-Module -Name AzureADPreview

Error: You can’t share this channel with people from this org

This happens because your organization may not allow access to the collaborating organization in the B2B direct connect feature.

Troubleshooting hint :Review the inbound settings of your B2B direct connect in Azure AD and verify that you have granted access to the Microsoft 365 organization collaboration.

Error: Conflicting service plans

This scenario arises when you allocate a license to a group, and the service plans within that license can’t overlap with the plans already assigned to a guest user through a different license directly.

Troubleshooting hint :Disable any one of the plans from the Microsoft 365 guest user licenses.

Error: Request_ResourceNotFound

This happens because the user specified is not found in your Office 365 environment.

Troubleshooting hint :Check the user’s Object ID properly and ensure that it is found in your Microsoft 365 environment.

Error: Authorization_RequestDenied

This happens if the Office 365 admin account used for authenticating into PowerShell may not have sufficient permissions.

Troubleshooting hint :Authenticate using an account that has a Global or Group Administrator role to get guest users’ Microsoft 365 group memberships.