🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Find Users Not in Any Groups in Microsoft 365

Users not in any groups can easily go unnoticed when admins primarily rely on groups to manage user permissions, resources, licenses, etc. This can lead to potential inactivity or a lack of access to essential files or teams in Microsoft 365. Therefore, identifying and managing these users is crucial for maintaining security and engagement. This guide will help you find users who are not part of any group, ensuring they are effectively managed in Microsoft 365.

Native Solution

Microsoft 365 Permission Required

High
Least Privilege

Reports Reader

Most Privilege

Global Admin

Option 1 Using Windows PowerShell

  • Connect to the Microsoft Graph PowerShell using the cmdlet below.
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph -Scopes 'User.Read.All'
  • Run the below cmdlet to get all users without Azure AD group memberships.
  • Windows PowerShell Windows PowerShell 
     Get-MgUser -All | Where-Object { (Get-MgUserMemberOf -UserId $_.Id).Count -eq 0 }
Using Windows PowerShell

Option 2 Using PowerShell Script

  • We created a PowerShell script to provide deeper insights into users without group membership in Microsoft 365.
  • This script identifies users who are not members of any groups, along with essential details such as license status, account status, department, and admin roles.
  • To retrieve users not in any groups in Microsoft 365, download and run the following script as shown below.
  • Windows PowerShell Windows PowerShell 
     ./UserMembershipReport.ps1 -UsersNotinAnyGroup
UserMembershipReport.ps1
Using PowerShell Script
AdminDroid Solution
This report and 150+ more reports are under free editionFREE

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

Free
ad
  • Log in to the AdminDroid Office 365 reporter.
  • Navigate to the Users Not in Any Group report under Reports»Azure AD»User Reports.
Using AdminDroid

This report consolidates details of all users not in any groups in Microsoft 365, including information such as sign-in status, license status, admin roles, etc.

  • Note: Utilize AdminDroid’s filtering feature to identify users who are not added to the groups of their specific departments or job titles.
licensed-users-chart-droid
  • Take advantage of the built-in charts to visualize licensed users without group memberships, enabling quick identification of underutilized licenses and opportunities for cost-saving through reallocation.
geo-map
birds-eye-chart
donut
exported-excel
pie-chart
alert
Explore a full range of reporting options

Struggling to track users without group memberships in Microsoft 365?

AdminDroid simplifies the management of users without group memberhsips by helping you quickly identify these users, improving visibility and security across your Microsoft 365 environment.

Witness the report in action using the

Live Demo

Azure ADEfficiently Manage Users Not in Any Azure AD Groups for SreamLined Access in Microsoft 365

Showing 1 of 3
What are the impacts of users without group membership in Microsoft 365? How to automatically add users to groups in Microsoft 365? How users not in any Azure AD groups can be managed in Microsoft 365?

What are the impacts of users without group membership in Microsoft 365?

In Microsoft 365, group memberships are essential for effective user management, security, and collaboration. When users are not assigned to any relevant groups, several challenges may arise that can hinder operational efficiency and security. Understanding these impacts is crucial for maintaining a well-organized and secure Microsoft 365 environment.

  • Increased Administrative Workload: Managing users without group memberships requires more manual effort to ensure proper configurations, as they do not benefit from automated processes tied to group memberships. Consequently, identifying and managing these users can be time-consuming.
  • Complicated License Management: Manual license assignment becomes necessary since you can't manage licenses for users not in any groups using group-based licensing. This can lead to errors, resulting in increased licensing costs or unnecessary licenses for users.
  • Complex Permission Management: Managing permissions for these users complicates access control. You may find it challenging to ensure that these users have the appropriate permissions to access respective resources for their workflows.
  • Increased Security Risks: These users may retain access to sensitive information without proper oversight, such as Conditional Access policies and MFA. This lack of control can create vulnerabilities that attackers might exploit, increasing your organization's risk profile.

How to automatically add users to groups in Microsoft 365?

Imagine a project manager needs access to specific resources in a group for a critical project. Without being assigned to that group, they cannot access necessary files or collaborate with the team, which can delay project timelines. To prevent such issues, you can automate their group membership to ensure users are always included in relevant groups in Microsoft 365.

Features to automate the group membership of Microsoft 365 users

  • Dynamic Group Membership: In M365, collaboration and resource management are facilitated through Microsoft 365 groups and security groups. However, managing these group's membership is typically done manually, which can lead to errors, such as missing users who need to be added.

    In these instances, you can create Microsoft 365 groups with dynamic membership in Azure AD or update security groups with dynamic membership. This automatically adds group members based on attributes such as roles, job titles, departments, etc., without manual intervention.
  • Dynamic Distribution Groups: When your requirement for the group is only mail communication, you can create a dynamic distribution group in Microsoft 365. These groups automatically add group members based on filters applied to specific user attributes, such as job title, department, or location, eliminating the need for manual updates. This ensures the users receive emails sent to their relevant groups.

    Note: The membership of a dynamic distribution group is updated every 24 hours based on the conditions you set.

Handy Tip: Regularly review group memberships to identify any users who may have been overlooked for inclusion in relevant groups and ensure that all authorized users are assigned to the appropriate groups.

How users not in any Azure AD groups can be managed in Microsoft 365?

Identifying Microsoft 365 users without group membership is only the beginning, proper management of these users is key to resolving potential issues. Without proper attention, these users may experience access limitations and security risks. To ensure a seamless workflow and maintain security standards, consider the following proactive measures to manage these users.

  • Add Users to the Group: After identifying users not in any Azure AD groups, check if they are active accounts that require relevant group assignments. If so, add the user to the Azure AD groups based on their roles and responsibilities.
  • Grant Individual Permissions: For external users collaborating temporarily, granting group permissions may not be necessary. In these situations, you can assign specific permissions to individual resources, such as Word documents or files.

    Note: To ensure proper authentication for accessing these resources, security policies must be applied individually. While this approach enhances security, it increases administrative overhead due to the need to grant direct permissions.
  • Efficient Offboarding: If user accounts remain in your organization without group memberships and are no longer needed, you can remove them by following proper Microsoft 365 offboarding practices.

    Tip: You can automate the Office 365 offboarding process to minimize human errors and create a streamlined, secure approach.

These are some of the best practices for managing Office 365 users not in any groups. By applying these methods, you can effectively manage users without group memberships in Microsoft 365.

AdminDroid Microsoft 365 Groups ReportingUnlock efficient management of users not in any groups!

AdminDroid's Azure AD reporting tool offers the ultimate one-stop solution for Microsoft 365 management. It delivers exclusive reports on all data within your Azure AD environment. From user and group reports to in-depth insights, it empowers you to monitor, analyze, and secure your Microsoft 365 infrastructure with unmatched ease.

A Quick Summary

Stay Updated on Users Without Group Membership

Use AdminDroid’s scheduling feature to receive regular updates on users without group membership and proactively add them to the appropriate groups to fix access issues.

Ensure Proper Group Membership During Role Transitions

Monitor group member changes to ensure that when a user's admin role changes, they are promptly removed from outdated groups and added to the relevant groups.

Identify Users Without Managers to Ensure Necessary Group Access

Identify users with no managers in Microsoft 365 to ensure effective oversight and appropriate group allocation which prevent gaps in accountability and access management.

Manage Permissions of External Users Without Group Membership

Utilize the filters available on the external users' report to identify external users without group memberships and ensure their direct permissions are consistently controlled to maintain security.

Track Activities of Users Not in Any Groups Across Microsoft 365

Filter the user activity trend dashboard based on the UPN of the user(s) without group memberships to identify activities performed by them across all M365 services.

Verify Disabled Users Have No Group Membership Access

Track groups with disabled users to ensure they are not in any sensitive groups, as re-enabling them without considering their group membership can lead to instant access and potential security risks.

AdminDroid’s Azure AD management tool provides detailed reports to manage users not in any groups within Microsoft 365, including disabled users and inactive users. These insights enhance access management, reduce risks, and ensure that users have appropriate permissions based on their roles.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps in Managing Users Without Group Membership in Microsoft 365

The following are the possible errors and troubleshooting hints while tracking users with no groups in Microsoft 365.

Error: Get-MgUser : Authentication needed. Please call Connect-MgGraph.

This error occurs in PowerShell when you execute the cmdlet before connecting to the Microsoft Graph module.

Troubleshooting hint :Install and connect to the Microsoft Graph module before running the cmdlet. 

//Execute the below cmdlet to install the Microsoft Graph module.
Install-Module Microsoft.Graph
//Run the below command to connect to the Microsoft Graph.
Connect-MgGraph

Error: Needs permission to access resources in your organization that only an admin can grant.

This error may occur when you try to run the script with an account that lacks the necessary admin permissions to access the user details.

Troubleshooting hint :Ensure that your account has appropriate permission to access the users' details in Microsoft 365.

Error: Get-MgUser : One or more errors occurred.

This error may occur while running the cmdlet in PowerShell if more than one Graph module is installed.

Troubleshooting hint :Use the cmdlet below to check all the installed versions of the Graph module in your PowerShell. If multiple versions are available, remove all previously installed versions of the Microsoft Graph modules and install the latest version to ensure all dependencies are up to date. 

Get-Module -Name Microsoft.Graph -ListAvailable

Error: Get-MgUser : Insufficient privileges to complete the operation.

This error occurs in PowerShell when you execute the 'Get-MgUser' cmdlet without the necessary permissions.

Troubleshooting hint :Reconnect to Microsoft Graph with appropriate permissions. 

Connect-MgGraph -Scopes "User.Read.All"