Track Microsoft 365 Groups with External Users

Native Solution

Microsoft 365 Permission Required

High

Global Admin, Groups Admin, or Exchange Admin.

Option 1 Using Windows PowerShell

Connect to the Exchange Online PowerShell module using the below cmdlet.
Windows PowerShell
```
 Connect-ExchangeOnline
```
To get all the Microsoft 365 groups with external users, use the below cmdlet.

Windows PowerShell

 Get-UnifiedGroup | Where-Object {$_.GroupExternalMemberCount -gt 0} | Select-Object DisplayName, GroupType, PrimarySmtpAddress, GroupExternalMemberCount

This PowerShell cmdlet provides a list of Microsoft 365 groups along with the count of external users in each group.

Option 2 Using Microsoft 365 Admin Center

Login to the Microsoft 365 admin center.
Navigate to the Reports»Usage»Microsoft 365 apps»Groups activity.
In the Choose columns section, select External members to view the external member count in each Microsfot 365 group.

AdminDroid Solution

More than 150 reports are under the free edition.

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

Login to the AdminDroid Office 365 reporter.
Navigate to Groups with External Users report under Reports»Security»External User Reports.

This report empowers you to efficiently identify Microsoft 365 groups containing external members. With a single click, drill down to view the number of external users & their details, group information, and more.

Utilize AdminDroid's built-in charts to identify the groups with the highest number of external members. This allows you to proritize these groups for risk mitigation and policy enforcement, enhancing security.

Explore a full range of reporting options

Simplify Microsoft 365 Group Membership Audits for External Users!

With the AdminDroid Azure AD reporting tool, uncover all Microsoft 365 groups with external users and eliminate unnecessary access permissions before they become security vulnerabilities.

Witness the report in action using the

Live Demo

Important Tips

Create a group expiration policy for Microsoft 365 groups with external users to automatically revoke access after project deadlines.

Create access reviews to remove inactive external users from Microsoft 365 groups to optimize resources and minimize security risks.

Apply Microsoft 365 sensitivity labels to teams, groups, and SharePoint sites to protect sensitive data during external collaboration.

Azure ADManage External Users in Microsoft 365 Groups for Secure Collaboration

Showing 1 of 4

How to manage Microsoft 365 groups with external users? How to prevent guest users from being added to Microsoft 365 groups? How to review external user group membership in Teams? How to find external user group membership in Microsoft 365?

How to manage Microsoft 365 groups with external users?

External users are added to Microsoft 365 groups for collaboration on projects with clients, vendors, etc. Once added, they have access to relevant group resources like documents, calendars, etc. However, external access should be removed when their project involvement ends to ensure data security and control.

How to add external users to a Microsoft 365 group?

To add external users to a M365 group, you can use either Microsoft 365 admin center or PowerShell.

Using Microsoft 365 admin center:

Login to the Microsoft 365 admin center.
Navigate to the Teams & groups»Active teams & groups»Teams & Microsoft 365 groups.
Select the group to which you wish to add external members.
In the Membership tab, navigate to the 'Members' and select the Add members option.
Choose the desired guest and save the changes.

Using Windows PowerShell:

Going through each step to add external users in the Microsoft 365 admin center may feel time-consuming. However, using PowerShell you can streamline this process by executing a single cmdlet.

Connect to the Exchange Online PowerShell using the below cmdlet.
```
 Connect-ExchangeOnline 
```

To add an external user to a Microsoft 365 group, execute the cmdlet below.

Add-UnifiedGroupLinks -Identity "<GroupName>" -LinkType Members -Links <ExternalUserAddress>

In the above cmdlet, replace '<GroupName>' with the desired group name, and '<ExternalUserAddress>' with the external user's UPN before execution.

How to remove external users from a Microsoft 365 group?

If you find any suspicious or inactive external users, follow the below steps to remove their group memberships. You can use either Microsoft 365 admin center or PowerShell to revoke their membership.

Using Microsoft 365 admin center:

Login to the Microsoft 365 admin center.
Navigate to the Teams & groups»Active teams & groups.
Select the target group under Teams & Microsoft 365 groups and move to the 'Membership' tab. Select the external user you want to remove.
Subsequently, choose the Remove as Member option and confirm it by selecting ‘Remove’ in the pop-up dialog.

Using Windows PowerShell:

Connect to the Exchange Online PowerShell using the below cmdlet.
```
 Connect-ExchangeOnline 
```

To remove an external user from a Microsoft 365 group, use the cmdlet below.

Remove-UnifiedGroupLinks -Identity "<GroupName>" -LinkType Members -Links <ExternalUserAddress>

Replace '<GroupName>' with the respective Microsoft 365 group name, and '<ExternalUserAddress>' with the user principal name of the external user before execution.

Since the guest users’ memberships can change over time, it is essential to monitor these changes regularly. The External Membership Changes in Groups report in AdminDroid efficiently facilitates this task.

It allows you to track and manage external membership modifications in groups, including details such as the operations, target group, status (success or failure), etc.

Tip: Enable report delivery via email using our integrated email feature. This will deliver the report directly to your inbox in your preferred format, including file attachment, downloadable link, or compressed archive (ZIP).

How to prevent guest users from being added to Microsoft 365 groups?

Imagine your company is managing a major business deal involving highly sensitive information, so you create a Microsoft 365 group for the internal team. Adding guest users to this group could expose critical data to unauthorized persons, risking financial losses or legal issues. To avoid these types of unknowing risks, it's essential to prevent adding guest users to such groups.

You can restrict the addition of guest users to Microsoft 365 groups through the Microsoft 365 admin center or PowerShell.

Restrict Guest Members in Groups Using Microsoft 365 Admin Center

Login to the Microsoft 365 admin center.
Navigate to the Settings»Org settings»Services.
Select Microsoft 365 Groups and uncheck the following permissions under the Guests section to control guest access in groups.
- Let group owners add people outside your organization to Microsoft 365 groups as guests: This permission determines whether group owners can add guest users to join the group. If enabled, only group owners can add guest users to collaborate on projects, share files, and participate in group discussions.
- Let guest group members access group content: This permission determines whether guest members can view and interact with the files, calendars, and other resources in the group. Enabling this permission grants guest user access to your organization's data.
Click 'Save' to apply the changes.

Control Guest Users' Group Membership Using Windows PowerShell

If you want to restrict adding external users to a specific group, you can use PowerShell to perform that operation.

Connect to the Microsoft Graph PowerShell using the below cmdlet.
```
 Connect-MgGraph 
```

To disable guest members from Microsoft 365 groups, utilize the script below.

$GroupName = "<GroupName>" 
$Id = (Get-MgBetaDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}).Id
$groupID = (Get-MgBetaGroup -Filter "DisplayName eq '$GroupName'").Id
$params = @{
	templateId = "$Id"
	values = @(
		@{
			name = "AllowToAddGuests"
			value = "false"
		}
	)
}
New-MgBetaGroupSetting -GroupId $groupID -BodyParameter $params

Replace '<GroupName>' with the group name in which you intend to restrict external users.

How to review external user group membership in Teams?

An organization collaborates with external legal and auditing firms on various projects, which allows them to access specific Teams and groups. Efficiently managing their group memberships ensures they only access necessary areas, enhancing security.

To maintain this, use access reviews to regularly check if external users still need access to Teams and groups. This keeps permissions up-to-date and promptly revokes access when collaboration ends, minimizing security risks and maintaining data integrity.

Here’s how to create an access review for external user group memberships in Teams and Microsoft 365 groups.

Sign in to the Microsoft Entra admin center.
Navigate to the Identity»Identity governance»Access reviews.
Click "+New access review" and select Teams + Groups under Select what to review.
Choose All Microsoft 365 groups with guest users in the 'Review Scope' for a comprehensive review of all groups containing external members. This action will automatically set the scope to Guest users only.
Click the Next: Reviews to proceed further.
In the Reviews section, configure whether you are creating a single stage review or multi-stage review.
In the "Specify reviewers", select who will evaluate guest access.
If you select 'Group owners' or 'Managers of users' as primary reviewers, you can also set an optional fallback reviewer. The fallback reviewer can perform the review if the primary reviewers do not exist.
Define the review period and recurrence schedule to run the review periodically (i.e. weekly, monthly, quarterly, annually).
Click on Next: Settings.
Check or uncheck 'Auto apply results to resource' to choose whether decisions should be applied automatically or require manual action respectively.
Configure the additional settings based on your requirements.
Give the access review a name and a description.
Click 'Create' to finalize the review process.

The assigned reviewers will receive email notifications to review external user access within the selected teams & groups. The review interface provides options to grant, deny, or request more information regarding each member's access. Upon review completion, Microsoft Entra enforces the reviewers' decisions based on the settings configuration. This may include the removal of external users with denied access from the corresponding groups.

How to find external user group membership in Microsoft 365?

Imagine an external user shows suspicious behavior, such as accessing unauthorized files and downloading large amounts of data. It's important to check if this external user has access to any sensitive groups, which could lead to data leakage and breaches. Instead of manually checking each group, verify the group memberships of that specific external user by following the steps below.

Login to the Microsoft 365 admin portal.
Navigate to the Users»Guest users, to get a list of all external users within your tenant.
Select a guest user from the list, which will display a general tab containing a section labelled 'Groups'.
Select Manage Groups to find all the groups that the specified guest user is a member of.

This way, you can verify that they are not accidentally granted access to sensitive groups, and they are removed from the group once their requirement ends. By this proactive monitoring, you can uphold your organizational security policies and maintain compliance.

Manually checking Azure AD guest users’ group membership is a
time-consuming process and increases the chance of human errors. Fortunately, AdminDroid offers an incredible solution.

The External User Group Membership report offers effective management of guest users’ group memberships, ensuring external users have access only to the groups that are necessary for their roles.
It prevents the potential over-exposure of sensitive information.

AdminDroid Group Membership ReportingStreamline External User Access in Microsoft 365 Groups with AdminDroid!

Managing external user access in groups is a challenging task that requires a balance between facilitating external collaboration and maintaining organizational security. The AdminDroid Azure AD management tool cuts through this complexity with its intuitive reports. This powerful tool lets you quickly track external users’ group memberships, group activities, and more, providing instant insight into who has access to what. It empowers you to make informed decisions and maintain control over external user access.

Unique features of AdminDroid to get the Microsoft 365 groups with external users:

The Office 365 group with external users report provides you with detailed information on external collaborators in Microsoft 365 groups, including group name, external users count, group ID, group mail, group owners & members, etc. This data provides insights about external users’ password strength, sign-in status and more.

A Quick Summary

Get Real-time Alerts on External Sharing

Leverage AdminDroid alerts to be notified whenever an external user performs any file sharing activities to stay proactive and identify potential risk factors quickly.

Understanding Group Utilization by External Users

Identify how external users utilize the groups with AdminDroid's Group Usage Trend report.

Gain Insights into External User Membership

Easily track external user membership in Microsoft 365 with AdminDroid’s External User Management reports, covering not only Microsoft 365 groups but also Teams, SharePoint, and more.

Monitor the Addition of External Users

Audit the Recently Created External Users report to verify that only approved external users are granted access and prevent unauthorized data exposure in Microsoft 365.

Track Group Activities with AdminDroid Scheduling

Schedule the All Group Operations report to regularly track all group activities, allowing you to take immediate action if needed.

Clean up Inactive Groups with External Users

Utilize AdminDroid’s advanced filtering feature in the Groups Last Activity report to identify inactive Microsoft 365 groups with external users, allowing you to target these groups for potential clean-up.

Overall, AdminDroid reports offer a unified view of all groups with external users which eliminates the need to navigate through individual groups. Additionally, AdminDroid's powerful filtering functionalities empower you to tailor the data to your specific needs, overcoming the limitations of native reporting.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps for Getting Microsoft 365 Groups with External Users

The following are the possible errors and troubleshooting hints while managing Office 365 groups with external members.

Error: The term 'Get-UnifiedGroup' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs in PowerShell when you execute the ‘Get-UnifiedGroup’ cmdlet before connecting to the Exchange Online module.

Troubleshooting hint :Install and connect to the Exchange Online PowerShell module before running this cmdlet.

//To install the Exchange Online module.
Install-Module ExchangeOnlineManagement
//Run the below command to connect to the Exchange Online PowerShell.
Connect-ExchangeOnline

Error: You don’t have permission to perform this action.

This error indicates that your PowerShell session doesn't have sufficient permissions to access information about the Microsoft 365 group.

Troubleshooting hint :Ensure you're using an account with appropriate Microsoft 365 administrator or group owner permissions.

Error: Get-MgUserMemberOf: Resource '<UserID>' does not exist or one of its queried reference-property objects are not present.

This error occurs in PowerShell when you try to get Azure AD users’ group membership using 'Get-MgUserMemberOf' cmdlet.

Troubleshooting hint :Double-check the user ID to ensure it's correct and represents a valid user within your tenant. Also, verify whether Microsoft Graph has permissions for reading user and group memberships.

//You can add permissions by executing the below cmdlet.
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"

Error: Get-MgGroup: One or more errors occurred.

This error occurs when you have multiple versions of the MS Graph PowerShell module installed.

Troubleshooting hint :Identify and uninstall all the versions of MS Graph module other than the latest module, using the below cmdlets.

//To list all the available Microsoft Graph module versions.
Get-Module -Name Microsoft.Graph -ListAvailable
//To uninstall the MS Graph module, run the below cmdlet.
Uninstall-Module -Name "Microsoft.Graph" -RequiredVersion <Version> -Force

Delivering Reports on Time

Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid’s Scheduling to your email anytime you need.

Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add intelligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.

Set It, Schedule It, See Results - Your Reports, Your Way, On Your Time!

Time Saving Automation Customization Intelligent Filtering

Give Just the Right Access to the Right People

Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.

Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.

Give Just the Right Access to the Right People

Align, Define, Simplify: AdminDroid's Granular Delegation

Smart Organizational Control Effortless M365 Management Simplified Access

Advanced Alerts at a Glance

Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.

Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.

AdminDroid Keeps You Always Vigilant, Never Vulnerable!

Proactive Protection Real-time Monitoring Security Intelligence Threat Detection

Merge the Required Data to One Place

Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.

This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.

Merge with Ease and Save as Views!

Custom Reporting Unique View Desired Columns Easy Data Interpretation

Insightful Charts and Exclusive Dashboards

Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.

With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.

Insightful Charts and Exclusive Dashboards

Explore Your Microsoft 365 Tenant in a Whole New Way!

Executive overviews Interactive insights Decision-making Data Visualization

Efficient Report Exporting for Microsoft 365

Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.

Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.

Efficient Report Exporting for Microsoft 365

Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!

Easy Export Seamless Downloading Data Control Manage Microsoft 365

How to Get Microsoft 365 Groups with External Users