Microsoft Entra ID

How to Track Orphaned Groups in Microsoft 365

Groups in Microsoft 365 facilitate team collaboration by allowing the sharing of files, calendars, resources, etc., and support efficient permission management. However, these groups can quickly become unmanaged if the sole owner leaves without replacement. Ownerless groups in Microsoft 365 result in outdated memberships, unchecked permissions, etc. Therefore, this guide shows you how to get orphaned groups in Entra ID and restore control to prevent operational disruptions.

Find Ownerless Groups Using Microsoft 365 Admin Center

Microsoft 365 Permission Required

Global Reader Least Privilege

Global Administrator Most Privilege

Log in to the Microsoft 365 admin center.
Navigate to Teams & groups»Active teams & groups»Teams & Microsoft 365 groups.
Click on Filter and choose Ownerless groups.
The ownerless Microsoft 365 groups will be displayed on the page.

Find Ownerless Groups Using Microsoft 365 Admin Center

Note: While the steps help list orphaned Microsoft 365 groups, admin centers don’t provide a way to list all ownerless security groups or distribution lists. Each of these groups must be checked manually to verify their ownership.

If the specific group has no owner, the message below will be displayed on the General tab.

This group has no owners assigned to manage group members and group data.

List All Groups Without Owners in Microsoft 365 Using PowerShell

Microsoft 365 Permission Required

Group.Read.All Permission Least Privilege

Directory.Read.All Permission Most Privilege

The Graph API retrieves all ownerless groups in Microsoft 365, but it lists all distribution and mail-enabled security groups as ownerless, even if they have owners.
Alternatively, the Exchange module retrieves ownerless distribution groups, Microsoft 365 groups, and mail-enabled security groups, but has limitations with security groups.
To overcome these constraints, use the script below, which leverages both the Exchange and Graph modules to list all types of ownerless groups in Microsoft 365.

Windows PowerShell

 Connect-MgGraph -Scopes “Group.Read.All”
Connect-ExchangeOnline
$graphGroups = Get-MgGroup -All -ExpandProperty owners |
    Where-Object { -not $_.owners -and ($_.GroupTypes -contains "Unified" -or $_.SecurityEnabled) } |
    Select-Object DisplayName, Id, @{Name="GroupType"; Expression={
        if ($_.GroupTypes -contains "Unified") { "Microsoft 365 Group" }
        else { "Security Group" }
    }}
$exchangeGroups = Get-DistributionGroup -ResultSize Unlimited |
    Where-Object { -not $_.ManagedBy } |
    Select-Object DisplayName, Guid, 
                  @{Name="Id"; Expression={$_.Guid}}, 
                  @{Name="GroupType"; Expression={
                      switch ($_.RecipientTypeDetails) {
                          "MailUniversalSecurityGroup" {"Mail-Enabled Security Group"}
                          "MailUniversalDistributionGroup" {"Distribution Group"}
                      }
                  }}
$dynamicExchangeGroups = Get-DynamicDistributionGroup -ResultSize Unlimited |
    Where-Object { -not $_.ManagedBy } |
    Select-Object DisplayName, Guid, 
                  @{Name="Id"; Expression={$_.Guid}}, 
                  @{Name="GroupType"; Expression={"Dynamic Distribution Group"}}
$allGroups = @($graphGroups, $exchangeGroups, $dynamicExchangeGroups) | 
    ForEach-Object { $_ | Select-Object DisplayName, Id, GroupType }
$allGroups | Sort-Object DisplayName | Format-Table -AutoSize

List All Groups Without Owners in Microsoft 365 Using PowerShell

Simple & Quick
Track M365 Orphaned Groups Report Using AdminDroid

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Log in to the AdminDroid 365 reporter.
Navigate to the Ownerless Groups report under Reports»Insights»Entra»M365 Group Insights»Specialized Group Reports.
Here, you'll find a dedicated report for each group type. Select the one that matches your requirement.
The selected report lists all orphaned groups of that specific type in Microsoft 365, along with key details such as group type, member count, guest count, and more.

Track M365 Orphaned Groups Report Using AdminDroid

AdminDroid Microsoft 365 Group Reporting

Implement Proper Ownership Management by Tracking Ownerless Groups in Microsoft 365

AdminDroid’s Entra ID reporting tool offers a dynamic solution for managing groups without owners in Microsoft 365. With real-time insights, it helps you maintain full control over your organization’s group management. It also provides a variety of reports, such as group membership, empty groups, nested groups, and more, for overall group management.

Focus on Newly Created Groups for Ownership Assignment

Monitor recently created groups to identify groups created without owners and promptly assign owners to ensure proper oversight and prevent unmonitored access.

Check M365 Group Ownership for Authorized Management

Track the owners of all Microsoft 365 groups to ensure groups have the right owner, as having the authorized owner is far more crucial than just having an owner.

Examine Collaboration to Address Risks in Orphaned Teams

Filter team meetings and message details reports by specifying the names of teams without owners to address unmonitored discussions and data management violations.

Oversee Groups with Guest Members to Prevent Data Leaks

Pinpoint groups with external users and avoid leaving them ownerless to prevent the unmonitored sharing of sensitive information outside the organization.

Monitor Membership to Maintain Intended Dynamic Group Users

Ensure all dynamic distribution groups have assigned owners to verify that only intended members are included, as group membership is automatically populated based on criteria.

Evaluate Group Usage to Manage Ownerless Groups in M365

Inspect group activity trend to assess usage and determine whether to reassign owners or delete inactive ones for effective management of ownerless groups.

Overall, AdminDroid’s Microsoft 365 management tool offers powerful features for gaining indepth insights into groups in Microsoft 365. It enables you to reassign ownership, manage group members, track changes, and more. Also, the group reports in AdminDroid help you optimize group administration, streamline governance, and enhance compliance within your Microsoft 365 environment.

Explore a full range of reporting options

Download Live Demo

Important Tips

Always assign at least two owners for each group to ensure ownership backup and prevent orphaned groups if one owner leaves.

Track groups with disabled owners regularly to avoid orphaned Microsoft 365 workspaces, which can result in unmonitored and unmanaged collaboration.

Audit group ownership changes to ensure proper control and prevent groups from becoming ownerless due to inactive or departed users.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while dealing with groups without owners in Microsoft 365.

Error Get-MgGroup : Insufficient privileges to complete the operation.

This error occurs in PowerShell when you execute the script without the necessary scopes or permissions.

Fix Connect to Microsoft Graph PowerShell with at least a group administrator role and the Group.Read.All scope, then try again.

Error Ownerless group policy configuration failed. Failure in configuring ownerless groups policy. Please try again.

This error may occur in Microsoft 365 while configuring the ownerless group policy due to multiple factors, such as timeout, incorrect configuration settings, or insufficient administrative permissions.

Fix Ensure you have the necessary permissions, such as a group admin role, to deploy the policy. If the issue persists, just go back and try again.

Error The remote endpoint returned an error (HTTP ‘500’). Please try again later.

This error occurs when a user attempts to take ownership of a group via the Group Ownership policy notification email. It is caused by a recent Microsoft update that unintentionally affects dependencies.

Fix Reach out to admins and manually set the owner of the groups.

Microsoft Entra ID

Frequently Asked Questions

Manage Ownerless Microsoft 365 Groups to Avoid Collaboration Breakdowns

How does a group become ownerless in Microsoft 365?

What happens when a group becomes ownerless in Microsoft 365?

How to manage orphaned groups in Microsoft 365?

How to create a Group Ownership Policy at Microsoft 365?

1. How does a group become ownerless in Microsoft 365?

Every group in Microsoft 365 is typically assigned an owner by an admin during its creation or management to handle day-to-day administration. It includes controlling membership and permissions. However, certain situations can result in a group becoming ownerless, which leads to potential security risks. A group in Microsoft 365 becomes ownerless under the following circumstances.

Deletion of the sole owner: If a user is the only owner of a group, deleting their account will leave the group without an owner. This will result in an orphaned group in Microsoft 365.
Disabling of the sole owner: When a group in Microsoft 365 has a single owner and that owner's account is disabled, the group technically retains an owner. However, the disabled account will not be able to perform any management tasks. This makes the group ownerless as no active user will be able to perform administrative duties in the group.
Group created without owner: When a security group is created using the Entra portal or PowerShell without explicitly specifying an owner, it will be created without ownership. This lack of assigned ownership can result in the group becoming ownerless immediately after its creation.

Note: Even if a group has no owner for management activities, group admin or any other high-privileged admins in Microsoft 365 can still manage the group, regardless of its type.

To ensure proper administrative oversight, it’s crucial to ensure that no group is left without ownership. Therefore, verify that the user is not the sole owner of any group before offboarding a Microsoft 365 user. If they are, reassign ownership to another user. This guarantees continuous Microsoft 365 group management.

2. What happens when a group becomes ownerless in Microsoft 365?

Ownerless groups in Microsoft 365 can still function as collaborative spaces for users to communicate and share resources. However, the absence of an assigned owner can disrupt efficient group management and create administrative inefficiencies. This also impacts services tied to the groups, such as SharePoint, Teams, etc.

Below are the problems associated with ownerless groups in Microsoft 365, which highlight why ownership is crucial for seamless operations.

Group membership management challenges

When a group lacks an owner, the responsibility of adding or removing members falls entirely on admins. This shift in responsibility can delay updates to group membership and increase the risk of unauthorized access due to outdated member lists.
Admins may also lack the context needed to make accurate membership decisions, further complicating group management.

Inability to customize group configurations in Microsoft 365

Group settings, such as the name, description, picture, and privacy options, are typically managed by owners. These settings ensure the group’s identity aligns with its purpose.
When there is no owner, these updates may not occur, leaving settings outdated or irrelevant. This can confuse group members and reduce the group’s effectiveness.

Limited oversight of Microsoft 365 shared resources

A key responsibility of group owners is overseeing how group resources such as calendars, mailboxes, document libraries, team channels, etc., are accessed. Without a designated owner, it becomes difficult to monitor who is accessing the resources.
This oversight gap leads to abandoned resources, improper usage, and unauthorized changes to files or documents, which can lead to confusion and potential conflicts. This increases the risk of outdated data and makes collaboration difficult.

Even though admins can still manage these groups, the lack of a dedicated owner creates the above inefficiencies and risks, especially in large organizations.

3. How to manage orphaned groups in Microsoft 365?

Identifying ownerless groups in Microsoft 365 is just the first step. Properly managing these groups is crucial to ensure they remain functional and secure. By taking proactive steps to reassign ownership, you can prevent disruptions and maintain effective collaboration within the group.

After identifying the cause of the orphaned group in Microsoft 365, reassign ownership or designate a new owner if it occurred by mistake. If the group is inactive and no longer needed, consider removing it to streamline management and security.

How to add an owner to a group in Microsoft 365?

Navigate to the Exchange admin center»Recipients»Groups»Select the specific group»Members»Owners»View all and manage owners.
Click +Add owners and choose the user you want to assign as the new owner.
Click Add to assign the selected user as the owner of the group in Microsoft 365.

You can also assign an owner to a Microsoft 365 group using PowerShell. This allows for bulk operations and streamlines the process of managing multiple groups.

How to remove a group in Microsoft 365?

Select the specific group you want to delete and click Delete group at the top of the page.
If the Delete group option is not visible, click the more options menu and select Delete group.
In the confirmation dialog, click Delete group again to delete the group in Microsoft 365.

Thoroughly verify that the group is no longer needed before deletion, as deleting a Microsoft 365 group can significantly impact associated services such as SharePoint, Teams, and Planner.

Note: Since the Exchange admin center doesn't support managing security groups, you can follow the above steps in the Microsoft 365 admin center to assign owners or delete security groups.

4. How to create a Group Ownership Policy at Microsoft 365?

Admins are manually required to check for ownerless Microsoft 365 groups, which is time-consuming and prone to errors. However, the Group Ownership Governance Policy addresses this challenge by identifying orphaned M365 groups and sending notifications to active group members.

Members who receive the notification through email messages can accept or decline ownership. The actions taken by members are logged in the compliance portal audit log to maintain governance and accountability. This approach streamlines the entire process and reduces administrative workload.

Enable the Microsoft 365 Group Ownership Governance Policy

Go to the Org settings page in Microsoft 365 admin center and click Microsoft 365 Groups under Services.
Select the checkbox for When there is no owner, email and ask group members to become an owner under "Ownerless groups".
Click Save to set the Group Ownership Governance Policy.

Note: The guest user will not receive the ownership invitation request, even if they are active members of the group.

Modify the Ownerless Group Policy in the Microsoft 365 Admin Center

By default, the no-owner policy in Microsoft 365 sends weekly notifications for 4 weeks to up to 5 active members of orphaned groups. However, if you need to configure a specific policy for your organization, you can modify the default settings of the policy.

After selecting the checkbox under Ownerless groups section in Microsoft 365 Groups, click Configure policy.
In the "Weekly notification" options, limit who can receive notifications in the Specify who can receive ownership notifications field.
Select the number of active members to notify, set the duration (in weeks) for how long users will receive notifications, and then click Next.
Choose the sender for the notifications and click Next.
On the "Subject" and "message" page, modify the Subject and Message of the email as per your requirement. You can also include a URL for policy guidelines, then click Next.
Select the groups to be notified when they become ownerless under Apply this policy to and click Next.
Review the policy settings and click Finish to apply the Group Ownership policy in Microsoft 365.

This policy applies only to Microsoft 365 groups without owner, as assigning an active member as the owner in other types of groups could lead to unintended security permission changes and vulnerabilities.

Surpass native limits with AdminDroid’s inbuilt New Change alert feature available with comprehensive group reports!

Navigate to any group report regardless of the type such as security, Microsoft 365, or distribution and click the Alert 🔔 icon.
Head to the Notification tab, select Owner Count as the event, set it to 0, and create the policy to receive instant email or Teams alerts whenever a group goes ownerless.