🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Azure AD

How to Get a List of Security Groups and Their Members in Microsoft 365

As security groups in Microsoft 365 act as gatekeepers, admins heavily rely on them to control access to SharePoint sites, files, critical admin roles, and more. However, without vigilant monitoring, these groups can open doors to unauthorized access, putting your organization's data at risk. Therefore, this guide discusses the different ways of monitoring Microsoft 365 security groups and their members to ensure effective management.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Using Microsoft 365 Admin Center

Microsoft 365 Permission Required
Security Reader Least Privilege
Global Admin Most Privilege
  • Log in to the Microsoft 365 admin center.
  • Navigate to the Teams & groups»Active teams & groups.
  • Select the ‘Security groups’ tab to view all Microsoft 365 security groups in your organization, including the mail-enabled ones.
  • Select the desired security group and click on the Members tab to view all the group’s owners and members.
Using Microsoft 365 Admin Center

Using Windows PowerShell

Microsoft 365 Permission Required
Security Reader Least Privilege
Global Admin Most Privilege
  • Connect to the Microsoft Graph PowerShell module.
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph -Scopes "Group.ReadWrite.All"
  • Execute the cmdlet below to get all security groups in Microsoft Entra ID.
  • Get-MgGroup -All | Where-Object {$_.GroupTypes -notcontains 'Unified' -and $_.SecurityEnabled -eq $true}
    security-groups-using-powershell
  • Run the following cmdlet with the appropriate group ID to retrieve the respective group's members.
  • Get-MgGroupMember –GroupId "<GroupId>" -All | Select @{N="DisplayName";E={$_.AdditionalProperties.displayName}}, @{N="UserID";E={$_.Id}}, @{N="UserPrincipalName";E={$_.AdditionalProperties.userPrincipalName}}
    get-security-group-members-using-powershell

Using PowerShell Script

Microsoft 365 Permission Required
Security Reader Least Privilege
Global Admin Most Privilege
  • While the PS cmdlets get all security groups in Azure AD, including mail-enabled ones, retrieving members of all the groups requires additional scripting and complex handling.
  • To simplify this, we’ve created a PowerShell script that efficiently generates reports on security and mail-enabled security groups along with their memberships.
  • Just download the script and run it in an Administrator PowerShell session as outlined below to access these reports.
M365GroupReport.zip

To list all security groups and their members, run the script with the 'Security' parameter.

./M365GroupReport.ps1 -Security

  • Preview of security groups report
    security-group-report
  • Preview of security group membership report
    security-group-members-report

Similarly, to retrieve all the mail-enabled security groups and their members, run the script with the 'MailEnabledSecurity' parameter.

./M365GroupReport.ps1 -MailEnabledSecurity

AdminDroid Azure AD Reporter

Optimize resource allocation with AdminDroid's Microsoft 365 security group reports!

AdminDroid's Azure AD reporting tool offers comprehensive analytics on Microsoft Entra security groups, detailing properties like group name, empty group, external user count, and more. Here's how AdminDroid helps you proactively manage group memberships, audit group operations, and more.

Real-Time Alerts for Group Owner Changes in M365 Security Groups

Instantly get notified of group owner changes in Microsoft 365 security groups using AdminDroid's default alert policy template to ensure proper access control and accountability.

Visualize Your M365 Security Groups with AdminDroid Dashboards

Discover key insights into your Microsoft 365 security groups, including members, deleted groups, mail-enabled groups, and more, all through AdminDroid’s visually engaging group dashboard.

Gain Insights into Security Groups in SharePoint Online

Keep an eye on your SharePoint Online security groups to prevent unauthorized access and protect sensitive data, ensuring everything is managed properly on the collaborative platform.

Track External Member Changes in Microsoft 365 Security Groups

Easily track external members added/removed from security groups with AdminDroid's advanced customization filters, ensuring only authorized individuals have real-time access to critical resources.

Optimize Security Group Performance with Usage Trend Monitoring

Track group usage trends to optimize resource allocation, enhance collaboration, and boost productivity within your Microsoft 365 security groups.

Comprehensive Monitoring of Security Group Operations

Monitor all group operations report to maintain compliance and audit membership changes in all security groups, dynamic groups, mail-enabled groups, and more.

Thus, with precise reports, dynamic dashboards, and user-friendly visualizations, the AdminDroid's Entra ID management tool streamlines the administration of Azure Active Directory security groups.

Explore a full range of reporting options
Download Live Demo

Important Tips

Enable self-service group management to let users handle their security groups and memberships, reducing admin workload to focus on priority tasks.

Identify empty security groups in Microsoft 365 to utilize them or delete unnecessary ones, ensuring efficient group management and organized oversight.

Use the default Defender for Identity security groups, which provide role-based protection to meet your organization's specific compliance and security needs.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while handling security group reports in Microsoft 365.

Error ./M365GroupReport.ps1 : File ./M365GroupReport.ps1 cannot be loaded. The file ./M365GroupReport.ps1 is not digitally signed. You cannot run this script on the current system.

This error occurs when the system’s execution policy does not allow running unsigned scripts.

Fix You can temporarily set the execution policy to RemoteSigned or Unrestricted to execute the script. 
#If you want to use the remote signed policy, set the execution policy as described below.
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser 
# Alternatively, if you want to bypass all restrictions, use the following execution.
Set-ExecutionPolicy Unrestricted -Scope CurrentUser

Error New-MgGroup : A value is required for property 'displayName' of resource 'Group'. Status: 400 (BadRequest)

This error occurs when you try to create a security group with the 'New-MgGroup' cmdlet without specifying group’s display name.

Fix Clearly state the group name when creating a security group with ‘New-MgGroup’ cmdlet in Microsoft Graph PowerShell.

Error Manage owners failed for 1 user(s).

This error occurs when you try to add or remove a group owner from security groups in the Microsoft 365 admin center without the necessary permissions.

Fix Ensure you have the necessary licenses and permissions to manage security groups in Microsoft 365.

Error New-MgGroupMember : Cannot Update a mail-enabled security groups and or distribution list.

The error occurs when attempting to add a member to a mail-enabled security group or distribution list using an incorrect group ID with the New-MgGroupMember cmdlet.

Fix Ensure you have entered the correct Group ID for a security group when executing this cmdlet.
Azure AD
Frequently Asked Questions

Manage Microsoft 365 Security Groups to Streamline Access Control!

How to create a security group in Microsoft 365?
How to manage Microsoft 365 licenses and admin roles using security groups?
How to update Microsoft 365 security groups with dynamic memberships?
How to create device groups in Microsoft 365?
How to limit OneDrive access to only specific security groups?

1. How to create a security group in Microsoft 365?

Security groups in Microsoft 365 are collections of users, devices, or other groups that allow admins to manage permissions and access to resources efficiently. They help admins streamline management by assigning permissions collectively rather than individually. This approach enhances security, simplifies administration, and ensures that policies & settings are applied consistently across multiple users or devices.

Are Security Groups Essential for Organizational Security?

No, but security groups are highly recommended to manage permissions, ensure consistent access rights, and reduce the risk of errors when handling large numbers of users or devices. Follow the steps described below using the Entra admin center or the PowerShell to create security groups in the Azure Active Directory.

Create a Security Group Using Microsoft Entra Admin Center

  • Log in to the Microsoft Entra admin center and navigate to Identity»Groups»All groups»New group.
  • By default, Security is selected in the Group type field. Next, enter a name for the group and provide a description.
  • If you want to assign roles to the security group, switch the Microsoft Entra roles can be assigned to the group toggle to Yes. Once this setting is enabled, the group's eligibility for role assignment becomes permanent and cannot be reverted.
  • Select the Membership type based on your preference:
    • Assigned: This option enables you to manually assign members to the groups.
    • Dynamic user: Using this option, you can automatically assign membership based on user attributes, such as department, location, etc.
    • Dynamic device: With this option, you can automatically assign membership based on device attributes, such as operating system, device type, etc.
  • Select the owners for the group by clicking the No owners selected link in the Owners section.
  • Add members to the security group by selecting the No members selected option in the Members section.
  • Review your settings and click Create to create the group.
create-new-security-group

Add a Security Group Using PowerShell

  • Connect to the Microsoft Graph PowerShell using the cmdlet below. 
    Connect-MgGraph -Scopes "Group.ReadWrite.All", "GroupMember.ReadWrite.All"
  • Use the New-MgGroup cmdlet below to create a new security group.
    New-MgGroup -DisplayName "<GroupName>" -MailNickname "<MailNickname>" -Description "<GroupDescription>" -SecurityEnabled -MailEnabled:$False
  • To add members to a group, use the New-MgGroupMember cmdlet with the Group ID and the User ID. 
    New-MgGroupMember -GroupId "<SecurityGroupID>" -DirectoryObjectId "<UserID>" 
#Make sure to replace <SecurityGroupID> and <UserID> with the appropriate values before executing the command.
    Note: You can use the Get-MgUser cmdlet to retrieve the User ID.
  • Use the New-MgGroupOwner cmdlet to add owners to a specific security group.
    New-MgGroupOwner -GroupId  "<SecurityGroupID>" -DirectoryObjectId "<UserID>"

Enhance security group tracking in Microsoft 365 with AdminDroid’s detailed insights, overcoming the limitations of Azure AD audit logs and the need for additional filtration.

  • By applying a simple filter where GroupType equals SecurityEnabled in the created groups report, you can monitor all security group creations effortlessly.
  • This allows you to see details such as who created the group, when it was created, the group name, and more, saving you time and effort while maintaining oversight.
created-security-groups-admindroid

Handy Hint: Save your customized view using the 'Save as view' option to quickly access the report without applying filters each time.

2. How to manage Microsoft 365 licenses and admin roles using security groups?

While Microsoft 365 security groups simplify administrative tasks by centralizing management, they are especially useful for assigning group-based licenses and managing admin roles. These tasks are crucial for various departments such as Sales, Marketing, and IT which often need different Microsoft 365 licenses. This approach not only saves time but also ensures that employees have the necessary resources and permissions, enhancing organizational efficiency.

Assign Licenses for Security Groups via the Microsoft 365 Admin Center

  • Log in to the Microsoft 365 admin center and navigate to Billing»Licenses to view all available licenses in your organization.
  • Select the license you want to assign for the security group(s).
  • In the License details section, locate the Groups tab and choose Assign licenses.
  • In the flyout pane, search for the respective security groups and add them to assign licenses.
  • Click the Assign button located at the bottom of the pane.

Note: When assigning licenses to a group, ensure that any service plans with dependencies on other service plans are also assigned. If the dependent service plan is not assigned to the specific group, the assigned license will be disabled.

assign-licenses-m365-admin-center

Assign Admin Roles to Security Groups in Microsoft 365 Admin Center

  • Navigate to the Teams & groups»Active teams & groups»Security groups in the M365 admin center.
  • Select the security group to which you want to assign a role.
  • Under the General tab, locate the Roles category.

    Note: This option is available only if the group is enabled for role assignments.

  • Click Manage roles and select the required roles after opting for Admin center access.
  • Finally, click the Save Changes button to save your configurations.
assign-admin-roles-manage-access

3. How to update Microsoft 365 security groups with dynamic memberships?

Dynamic membership in security groups allows you to automatically manage the membership based on user or device attributes. This is achieved through rules that define the criteria for group membership. For example, you can create a rule to automatically add all users from a specific department or with a certain job title to a security group.

Reasons to Use Microsoft 365 Dynamic Security Groups

  • Automated Management: Reduce administrative overhead and ensure group memberships are always up-to-date based on predefined criteria.
  • Consistency and Accuracy: Eliminates human error by consistently applying rules to all users or devices that meet the specified criteria.

Steps to Update Dynamic Group Membership

  • Sign in to the Microsoft Entra admin center.
  • Navigate to Identity»Groups»All groups and select Add filter. Set the Group type filter to Security and click Apply to list all the security groups.
  • Then, select the security group for which you want to change the membership type to dynamic.
  • Go to the Properties tab and set the Membership type to Dynamic user.

    Note: If a group is enabled for assigning Microsoft Entra roles, its membership type cannot be changed to dynamic.

    update-dynamic-membership
  • Select the Add dynamic query option and create dynamic rule(s) using the dynamic query builder. To create more than five queries, use the ‘Edit’ option and construct the membership rule queries in the Rule syntax box.
    dynamic-query-builder
  • After configuring the rule with the required operators, click Save.
  • Click Save again on the Properties page to apply the dynamic membership changes.

Once saved, the membership type is immediately updated in the group list. Microsoft first removes all existing members and then adds the group members based on the dynamic rule created.

4. How to create device groups in Microsoft 365?

Device groups in Microsoft 365 are collections of devices that are grouped together to simplify management tasks, such as applying policies and access controls. These device groups in Intune are essential for admins as they streamline resource management and ensure consistent application of compliance policies across all devices in an organization.

Why Use Security Groups for Device Groups Management?

Only security groups can be used to create device groups in Azure Active Directory. Microsoft recommends using them for device management to fully leverage their potential in security and access control. Here’s why:

  • Device Membership: Security groups are the only Microsoft 365 group type that allows devices to be members.
  • Access to Applications and Resources: As security groups control access to applications and resources, adding devices to a security group ensures that only those devices can access specific resources or applications.

In contrast, Microsoft 365 groups (formerly Office 365 groups) are primarily designed for collaboration and do not support device membership. They are better suited for managing access to shared resources like email, calendars, SharePoint document libraries, and more, but not for device management.

Create Device Groups in Microsoft 365

  • Log in to the New Groups page in the Microsoft Intune admin center.
  • The group type is set to Security by default, so you can proceed to enter a name and description for the group.
  • Choose the Membership type as Dynamic device. Then add owners under the Owners section by clicking No owners selected.
  • Then, add dynamic device members to the group with the Add dynamic query option.
  • On the Dynamic membership rules page, configure rules using the rule builder or rule syntax text box. Note that the rule builder allows you to create up to five rules only.
  • Click Create to finalize the device group creation.

By following these steps, you can create device groups in Intune, allowing you to manage and secure your devices efficiently.

5. How to limit OneDrive access to only specific security groups?

Want to ensure that only the right people in your organization can access OneDrive? Limiting OneDrive access to specific security groups is an excellent way to control who can access the broadly shared OneDrive files. For example, you can prevent guest users from accessing OneDrive content, even if they had access before, ensuring sensitive information stays within the intended audience.

To restrict OneDrive access and sharing, you’ll need one of the following licenses.

  • Microsoft SharePoint Premium - SharePoint Advanced Management
  • Office 365 E5/A5
  • Microsoft 365 E5/A5

Restrict OneDrive Access to a Security Group

  • Open the Access control page in the SharePoint admin center.
  • Click on OneDrive access restriction to open the respective flyout pane.
  • Enable the Restrict OneDrive access only to users in specified security groups checkbox.
  • In the Add security groups field, search for and select the groups you want to allow access to OneDrive.
  • Click Save, and then confirm by clicking OK in the confirmation box.

Once you apply this restriction, users outside the specified security groups won’t be able to access their OneDrive or any shared content, even if they’re licensed. The policy takes effect as soon as the users try to access their OneDrive or open a file.

restrict-onedrive-access

Important Note: Users not in the selected security groups may still see OneDrive files in search results if they have direct permissions. However, they won’t be able to open them without being part of the approved groups. Make sure all required users are included in your security groups before implementing the policy to avoid disrupting workflows.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Azure AD
How to Get a List of Security Groups and Their Members in Microsoft 365
Azure AD Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo