🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Azure AD

How to Get Nested Groups Report in Microsoft 365

Larger organizations require Microsoft 365 nested groups to represent sub-groups since they manage multiple departments & projects. Nested groups streamline permission management by granting access at a higher group level and offering flexibility for individual sub-groups. This guide will help you get Entra ID nested groups report in Microsoft 365, enabling you to manage them more efficiently.

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Using PowerShell

Microsoft 365 Permission Required
Group Admin Least Privilege
Global Admin Most Privilege
  • Connect to Microsoft Graph PowerShell Module with 'GroupMember.Read.All' permission.
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph -Scopes GroupMember.Read.All
  • Then, run the following cmdlet to get all nested groups within a specific group in Microsoft 365.
  • Windows PowerShell Windows PowerShell 
     Get-MgGroupMemberAsGroup –GroupId <GroupId>
Using PowerShell

Using Powershell Script

Microsoft 365 Permission Required
Group Admin Least Privilege
Global Admin Most Privilege
  • Note that the above PowerShell cmdlet returns nested groups only for a specified group. However, it won't check each group or retrieve a complete list of nested groups across your organization.
  • To overcome this limitation, we have developed a user-friendly PowerShell script that retrieves all nested groups within your M365 tenant.
  • Download and run the script in Administrator PowerShell to export all nested groups in Microsoft 365.
Using Powershell Script
M365NestedGroups.ps1
AdminDroid Azure AD Reporter

Finding all Microsoft 365 nested groups made easy!

The AdminDroid’s Azure AD reporting tool simplifies the process of retrieving all nested groups in your Microsoft 365 environment. It offers detailed reports on M365 groups, facilitating effective management and control over group-related activities in your organization.

Locate Nested Groups with Advanced Filtering in Ease

Enhance your ability to locate nested groups efficiently through AdminDroid rich filtering, allowing you to easily filter groups based on properties, such as group type, mail-enabled status, and more.

Stay Informed about Changes in Group Memberships

Gain insights into Microsoft 365 group activities with detailed audit reports. Track changes and stay informed about modifications in group memberships, making it easier to monitor your organization’s group activities.

Detailed Analysis of Microsoft 365 Groups

Access comprehensive insights on Microsoft 365 group reports that detail memberships, ownerships, and group types like security, distribution, and mail-enabled groups to enhance group management.

Get Regular Updates on Nested Groups in M365

Schedule the nested groups report to receive updates in your inbox daily, weekly, or monthly. This ensures you stay informed about nested groups and gain better insights into group memberships and configurations.

Easily Manage Empty Groups in Microsoft 365

The Empty Groups report lets you easily spot M365 groups without members. You can quickly decide whether to delete or retain these groups, helping you maintain a clutter-free and efficient M365 environment.

Simplified Dashboard for Efficient Group Management

The Microsoft 365 group dashboard gives you a centralized view of all group-related metrics and activities within Azure AD at a glance, that reduces the time spent navigating various interfaces.

Overall, AdminDroid helps you easily find nested groups, making the process quick and effortless with just a few clicks. AdminDroid’s Azure AD auditing tool allows you to monitor user permissions, license changes, group setting changes, and much more.

Explore a full range of reporting options
Download Live Demo

Important Tips

Since Microsoft 365 group-based licensing doesn't apply to members of nested groups, make sure that all users who require licenses are direct members of the licensed groups.

Use nested groups as includeTarget or excludeTarget in system-preferred MFA setting to enable the most-secured authentication methods for the nested group members.

As Microsoft Entra supports nested groups, you can create and add them for wider deployment while enabling the self-service password reset based on your organization needs.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints while accessing all nested groups in Azure AD.

Error Nesting is currently not supported for groups that can be assigned to a role.

This error occurs when attempting to nest a group that is assigned to a role in Microsoft Entra ID. Role-assignable groups do not support nesting, which leads to the error.

Fix Use the below PowerShell cmdlet to identify role-assignable groups and ensure the group you're trying to nest is not one of them. 
Get-MgGroup -Filter "isAssignableToRole eq true"

Error Get-MgGroupMemberAsGroup : Insufficient privileges to complete the operation.

This error occurs when running the 'Get-MgGroupMemberAsGroup' cmdlet without necessary permissions to perform the requested operation.

Fix Use the 'GroupMember.Read.All' permission to connect MS Graph PowerShell module before running the 'Get-MgGroupMemberAsGroup' cmdlet. 
// # Run the below cmdlet to connect MS Graph PowerShell.
Connect-MgGraph -Scopes GroupMember.Read.All

Error Get-MgGroupMemberAsGroup : One or more errors occurred.

This error typically occurs when you have multiple versions of the MS Graph PowerShell module installed. To identify the available versions of the Microsoft Graph PowerShell module, run the following cmdlet. 

Get-Module -Name Microsoft.Graph -ListAvailable

Fix To fix the problem, you need to uninstall all the older versions of the module which help resolve the issue. 
Uninstall-Module -Name "Microsoft.Graph" -RequiredVersion $Version -Force

Error Microsoft 365 groups are not allowed.

This error occurs when attempting to nest Microsoft 365 Groups in Entra ID, but since Microsoft 365 Groups nesting is not supported, the action fails.

Fix Ensure that you are only nesting security groups or distribution lists, as Microsoft 365 Groups cannot be nested within other groups.

Error ./M365NestedGroups.ps1 cannot be loaded because running scripts is disabled on this system.

If you have set the execution policy settings to 'RemoteSigned', the above error will occur when running the PowerShell script.

Fix Change the execution policy by running the cmdlet below. 
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted

Error Failed to remove group membership.

This error occurs when trying to remove the group membership of a distribution list from another distribution list in Microsoft Entra ID.

Fix Use the Exchange Online admin center, as Entra ID doesn't manage distribution list memberships. You can also use the Exchange Online PowerShell cmdlet to remove DL members. 
Remove-DistributionGroupMember -Identity "DLName" -Member "MemberName"

1. How to create a nested group in Entra Admin Center?

Nested groups in Microsoft 365 allow you to enhance access management by adding one group as a member of another group. It supports various scenarios, including group membership claims, Conditional Access policies assignments, and manage access permissions on self-service password resets and Microsoft Entra device registrations.

Steps to create a nested group in the Entra Admin Center

  • Navigate to All groups under Identity»Groups in the Microsoft Entra admin center.
  • Click on New group and select the Group type as Security.
  • Enter the Group name and select Membership type as Assigned.
  • Click on the link under Members and select a group that you want to nest in this group & click 'Select'.
  • Then, hit the 'Create' button to create a parent group with groups nested under it.

While Microsoft 365 admin portals lack the ability to audit nested group management activities, AdminDroid offers a robust solution!

  • In AdminDroid's Group Member Changes report, use the Advanced customization to display items where "Operation" as "Add Group Member" and "Added/Removed User" starts with "Group".
  • This granular filtering enables you to easily audit the nested group creations with details, such as activity time, group name, operation, result status, activity performed on, performed by, etc.
audit-group-nesting-activities-admindroid

2. Can distribution groups be nested in Microsoft 365?

Yes, creating nested distribution groups in Microsoft 365 enables efficient management of email communications by organizing multiple groups under a single parent distribution list. It simplifies the process of sending emails to a larger audience and maintains organized group memberships for better communication within your organization.

Steps to create nested distribution group using Exchange admin center

  • Navigate to Distribution list tab under Recipients»Groups in the Exchange admin center.
  • Click the group where you want to nest another group.
  • In the side pane, choose Members tab and select 'View all and manage members' to see all members of the group.
  • Click Add Members to select the groups that you want to include as members of this group.
  • Finally, click 'Add' button to create a nested distribution list in Microsoft 365.

Steps to create nested distribution group using PowerShell

To create a nested distribution group, first connect to the Exchange Online PowerShell.

Connect-ExchangeOnline

Then, run the below cmdlet to add a group as a member of another group.

Add-DistributionGroupMember -Identity <ParentGroup> -Member <NestedGroup>

Moreover, you can use the script below to export a report of all nested distribution group members in Microsoft 365.

GetNestedDistributionGroupMembers.ps1

With AdminDroid, you can easily export nested distribution groups report in various formats such as HTML, PDF, CSV, XLS, and XLSX.

  • Utilize the AdminDroid’s Distribution Group Members report with "Member Type" filter as "Group" to access the nested distribution groups in your Microsoft 365 environment.
  • This report provides details, such as group name, group mail, nested DL name, nested DL email, member type, etc.
get-nested-distribution-group-report-admindroid

Pro Tip: Click on the Download/Export icon to download the report in your desired format.

3. What are the benefits and limitations of nested groups in Azure AD?

While nested groups in Microsoft Entra ID offer several benefits, they also come with certain limitations. Here's a look at both the benefits and limitations.

Benefits of nested groups in Entra ID

  • Conditional Access: Nested groups are supported when a Conditional Access policy is applied with a group scope.
  • Self-Service Password Reset: Since SSPR access is limited to a single group, nested groups allow users within them to inherit access, enabling them to perform SSPR.
  • Device Registration: Nested groups can be used to limit which users can do Microsoft Entra join and device registrations.

Limitations of nested groups in Entra ID

  • App Role Assignment: Nested group membership and app role assignments to an application are not supported.
  • Group-based Licensing: Licenses for nested groups do not inherit from their parent groups. You must apply licenses to each nested group individually.
  • Microsoft 365 Groups: Adding Microsoft 365 groups to security groups and vice versa is not supported.
  • Azure RBAC Nested Groups: Nesting is currently not supported for groups that can be assigned to a role.

4. How to assign licenses to nested group members in Microsoft 365?

As we know, nested groups do not support group-based licensing in Microsoft Entra ID. However, admins can create dynamic membership groups that automatically include members based on specified attributes. This allows admins to assign licenses to the direct members of nested groups.

Let’s take a scenario:

Imagine you have Group A, which contains Group B and Group C as nested groups. Since licenses assigned to Group A don’t inherit to its child groups due to this nesting, you can create dynamic groups, say 'Dynamic Group D', that automatically include members from Group B and Group C based on the 'memberOf' attribute.

Steps to create a group membership from Azure AD dynamic groups

  • Navigate to All groups under Identity»Groups in the Microsoft Entra admin center
  • Click on New group, fill in the group details and select the Group type as Security or Microsoft 365, and the Membership type as dynamic user.
  • Select the 'Add dynamic query' and click on 'Edit' to write the rule in the Rule syntax box.

    user.memberof -any (group.objectId -in ['GroupA_Id', 'GroupB_Id', 'GroupC_Id'])

  • Click 'OK' and 'Create' to add members of other groups using the memberOf attribute.

By creating dynamic groups in Microsoft Entra ID, you can effectively flatten group membership, allowing direct members of Group A, Group B and Group C to be included in Dynamic group D. Once set up, you can assign licenses to this dynamic group, ensuring other group members receive the proper licenses without facing limitations from nested group structures.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Azure AD
How to Get Nested Groups Report in Microsoft 365
Azure AD Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo