Microsoft 365

How to Find Guest-Owned Groups in Microsoft 365

When external users became Microsoft 365 group owned, they gain extensive control over group memberships, settings, and sensitive content, posing a real threat of data exposure. As an admin, proactively identifying these guest-owned groups is critical to preventing security risks. This guide provides clear, actionable steps to find guest-owned Microsoft 365 groups to protect your organization’s data and ensure secure collaboration.

Get Guest's Group Ownership Using Microsoft 365 Admin Center

Microsoft 365 Permission Required

Message Center Reader Least Privilege

Global Administrator Most Privilege

Login to the Microsoft 365 admin center.
Navigate to Teams & Groups»Active teams and groups.
Switch to the Teams & M365 groups or Security Groups tab as needed to verify ownership details.
Click on the target group and select “Owners” under Membership/Members to view the list of all owners of the Microsoft 365 group.
If a “Guest” label appears besides a user’s name, it indicates that the guest is the group owner.

Get Guest's Group Ownership Using Microsoft 365 Admin Center

Find the Microsoft 365 Groups with Guest Owners Using Graph PowerShell

Microsoft Graph Permission Required

Group.Read.All Least Privilege

Directory.ReadWrite.All Most Privilege

Connect to the Microsoft Graph PowerShell module.

Windows PowerShell

 Connect-MgGraph -Scopes "Group.Read.All"

Run the following script to get the list of guest-owned groups in Microsoft 365.

Windows PowerShell

 $externalOwners = @()
$allGroups = Get-MgGroup -All
foreach ($group in $allGroups) {
    try {
        $owners = Get-MgGroupOwner -GroupId $group.Id -All
        foreach ($owner in $owners) {
            $upn = $owner.AdditionalProperties['userPrincipalName']
                if ($upn -like "*#EXT#*") {
                    $externalOwners += [PSCustomObject]@{
                        GroupName = $group.DisplayName
                        GroupId = $group.Id
                        OwnerName = $owner.AdditionalProperties['displayName']
                        OwnerUPN = $upn
                }
            }
        }
    }
    catch {
    Write-Warning "Failed to get owners for group: $($group.DisplayName)"
    }
}
$externalOwners | Sort-Object GroupName | Format-Table GroupName, GroupId, OwnerName, OwnerUPN -AutoSize

Find the Microsoft 365 Groups with Guest Owners Using Graph PowerShell

Simple & Quick
Export Guest-Owned Groups in Microsoft 365 Using AdminDroid

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Log in to AdminDroid 365 Portal.
Navigate to the Guest User Owned M365 and Security Groups report resided under Reports»Entra»Insights»Guest Users Reports»Guest Owned Groups.
This report aggregates a list of guest owners with their groups, including details such as group name, owner name, group email, and external domain, etc.

Export Guest-Owned Groups in Microsoft 365 Using AdminDroid

AdminDroid Entra ID Reporting

Gain Complete Visibility into Guest-Owned Groups in Microsoft 365!

AdminDroid Entra ID reporting provides an easy way to track guest-owned M365 groups and eliminates the need for manual checks or complex PowerShell scripts. With these insights, admins can efficiently review and manage groups with guest owners to maintain secure governance and protect organizational data.

Track External Users' Activities in Microsoft 365

Monitor Microsoft 365 external user activities to maintain visibility over their actions within your organization and ensure security without compromising external collaboration.

Efficient Guest User License Management

View a detailed list of guest users with assigned M365 licenses including subscription counts, external domain, license types, and other key details. This helps to track external license assignment’s and revoke inactive licenses and optimize subscription usage.

Review M365 Ownership Changes to Avoid Disruptions

Configure alerts for Microsoft 365 group owner changes to track additions and removals in real time and ensure only authorized users retain ownership. This enhances security by preventing unauthorized access and maintaining control over critical permissions.

Monitor Guest Users Groups Memberships in M365

Check groups with guest members report to verify the number of groups that have guest users in your organization. Proactively remove unnecessary guest users from groups to reduce unwanted data leakage.

Analyse Groups by Owners Count for Effective Management

Use the groups by owner count report to identify groups that may become ownerless if a guest owner is removed. Assign the appropriate owner before taking any action to maintain proper group management.

Get Detailed Microsoft 365 Group Owners List

Review the Microsoft 365 owners report to identify whether owners are internal or external users. This helps limit unnecessary external control over resources, reduce compliance risks, and ensure only trusted, authorized users can manage critical assets.

In conclusion, managing guest-owned Microsoft 365 groups helps organizations maintain strict ownership boundaries and prevent unauthorized access. With clear insights and alerts, AdminDroid’s Entra ID management tool enables admins to track groups with guest owners, address ownership gaps, and ensure that only trusted users manage critical groups.

Explore a full range of reporting options

Download Live Demo

Important tips

Implement access review policies in Microsoft Entra ID to periodically verify whether guest owners still require ownership access and remove inactive or unapproved guest ownerships.

Enforce Conditional Access policies to regulate the access of guest owners and specify allowed locations and conditions for their connection to the organization’s resources.

Regularly audit guest-owned groups to identify ownership anomalies or unusual activity and ensure that guest owners comply with company policies.

Common Errors and Resolution Steps

Error Get-MgUser : Insufficient privileges. To complete the operation. Status: 403 (Forbidden).

This error occurs when the 'Connect-MgGraph' cmdlet is executed without specifying the required scopes or necessary privileges.

Fix Define the necessary scopes when connecting to the Microsoft Graph PowerShell module as shown below.

Connect-MgGraph -Scopes "Directory.Read.All"

Error Get-UnifiedGroup : A parameter cannot be found that matches parameter name 'GroupType'.

This error occurs when attempting to filter group owners by group type using the GroupType parameter in the Get-UnifiedGroup cmdlet.

Fix Get-UnifiedGroup is designed to list only Microsoft 365 groups, and you can’t filter by group type directly. Instead, you can optionally filter on properties like DisplayName, EmailAddresses, ManagedBy, or AccessType.

Error User invitation failed. Insufficient privileges to complete the operation.

This error occurs when attempting to add a guest user to your tenant and the guest invite settings do not have sufficient privileges.

Fix To resolve this, update the external collaboration settings in the Microsoft Entra admin center to allow guest invitations, then try adding the guest user again.

Error Get-MgGroup: One or more errors occurred.

This error occurs when you have multiple versions of the MS Graph PowerShell module installed.

Fix Uninstall all the versions of Microsoft Graph module, and then reinstall the latest stable version of Microsoft Graph module.

Get-InstalledModule | Where-Object { $.Name -like "Microsoft.Graph*" } | 
ForEach-Object { Uninstall-Module -Name $.Name -RequiredVersion $_.Version -Force }
#Install the latest stable Microsoft Graph module
Install-Module Microsoft.Graph -Scope CurrentUser -AllowClobber -Force

Microsoft 365

Frequently Asked Questions

Manage Guest Ownership in Office 365

What are the risks of having guest users as group owners in Microsoft 365?

How to notify admins when a Microsoft 365 guest user is assigned as a group owner?

What are the recommended practices for M365 admins while assigning guests as group owner?

How to remove guest owners from groups in Microsoft 365 using PowerShell?

How to prevent guests from being added to a specific Microsoft 365 group using PowerShell?

1. What are the risks of having guest users as group owners in Microsoft 365?

Since Microsoft 365 guest owners have elevated permissions like internal owners, it’s necessary to check whether their ownership is needed. Admins should monitor external user’s activities and manage groups efficiently.

Unmanaged groups due to temporary access Guest users are often onboarded for short-term collaboration. If they are the sole owners of Microsoft 365 groups and are removed without assigning a new owner, the group can become unmanaged, affecting membership updates, approvals, and group settings.
Tip to reduce the risk: Periodically, monitor Microsoft 365 group ownership changes to ensure that each group has an assigned owner.
Audit challenges with guest group owners Proper identification of group owners during audits is critical for proper access control and compliance. Having guest users as Microsoft 365 group owners, complicates identity verification, monitoring, and allowing unchecked modifications to critical resources.
Sensitive information exposure Guest owners may inadvertently or deliberately share confidential information outside the organization, which may cause data leaks.
Tip to reduce the risk: To give the right level of access, you can configure guest access restrictions in Microsoft Entra ID.
Reviewing and limiting guest owner permissions Guest owners can manage M365 group settings, add or remove members, and assign additional privileges to members. So, it is important to review and limit guest owner permissions to reduce security risks and prevent unnecessary privilege escalation.

2. How to notify admins when a Microsoft 365 guest user is assigned as a group owner?

Using native Microsoft 365 tools to notify admins when a guest user becomes a group owner is possible, but in practice it has several challenges.

Complex setup – You need to combine audit logs, advanced filters, or Power Automate flows, which require extra licensing and technical effort.
Maintenance overhead – PowerShell scripts must be scheduled using tools like Task Scheduler or Azure Automation, monitored regularly, and constantly updated to handle new groups or changes.

But AdminDroid works like a charm, allowing you to generate custom alerts with just a few clicks, without any manual effort or errors.

Don’t wait to discover risky guest owners by accident! Be alerted instantly with AdminDroid!

By deploying the pre-built alert group ownership changes and applying the filter User Type = Guest, you receive immediate alerts whenever a guest is added as a group owner.
These instant notifications help you take appropriate action to ensure legitimacy and determine whether the guest ownership is actually necessary.

Pro tip: In addition to email notifications, you can also configure Teams to receive alerts, which is ideal if you want immediate notifications via instant messaging.

3. What are the recommended practices for M365 admins while assigning guests as group owner?

While Microsoft 365 does not currently offer a direct setting to block guest users from being assigned as group owners, organizations can implement strong governance, automation, and policy enforcement to manage this risk effectively.

Recommended practices

Use PowerShell or third-party tools to automate the detection and remediation of guest owners. These solutions can check guest ownership, trigger alerts, and automatically remove unauthorized assignments.
Configure Entra ID external collaboration policies to control what guest users can access or manage within your tenant. This helps prevent guests from gaining elevated privileges.

4. How to remove guest owners from groups in Microsoft 365 using PowerShell?

Guest users with owner roles in Microsoft 365 groups can lead to security and compliance risks. To help prevent unauthorized access or accidental changes by external users, it is important for administrators to regularly audit group ownership and remove guests from owner roles.

Find and remove guest owners from group membership

Use this command to remove a guest owner from the M365 group’s membership. This action ensures that the guest no longer has access to the group’s resources and content.

Connect-MgGraph -Scopes "Group.ReadWrite.All", "User.Read.All"
$groups = Get-MgGroup -All
foreach ($group in $groups) {
    Write-Host "Processing group: $($group.DisplayName)" -ForegroundColor Cyan
    $owners = Get-MgGroupOwner -GroupId $group.Id
    foreach ($owner in $owners) {
        if ($owner.AdditionalProperties['@odata.type'] -eq '#microsoft.graph.user') {
            $user = Get-MgbetaUser -UserId $owner.Id
            if ($user.UserType -eq 'Guest') {
                Write-Host "Removing guest owner: $($user.DisplayName) from group: $($group.DisplayName)" -ForegroundColor Yellow
                Remove-MgGroupOwnerByRef -GroupId $group.Id -DirectoryObjectId $user.Id -ErrorAction SilentlyContinue
                $removedGuests += [PSCustomObject]@{
                    GroupName      = $group.DisplayName
                    GroupId        = $group.Id
                    GuestName      = $user.DisplayName
                    GuestUPN       = $user.UserPrincipalName
                    RemovedAt      = (Get-Date)
                }
            }
        }
    }
}
$removedGuests | Export-Csv -Path "RemovedGuestOwnersReport.csv" -NoTypeInformation -Encoding UTF8
Write-Host "`n Completed. Removed guest owners are saved to 'RemovedGuestOwnersReport.csv'" -ForegroundColor Green

Overall, this script scans all Microsoft 365 groups to identify guest users with owner roles and removes their ownership. It also generates a list of removed guest owners for reporting or further admin actions.

5. How to prevent guests from being added to a specific Microsoft 365 group using PowerShell?

If you wish to prevent guest access for specific M365 groups, you can block the guest access to the group by using Microsoft PowerShell. This prevents new guests from being added, but doesn't remove guests who are already members of the group.

Note: You must use the beta version of Microsoft Graph PowerShell to change the group-level guest access setting. Additionally, Global Administrator permission is required.

Run the following script after replacing <GroupName> with the name of the group where you want to disable guest access.

Connect-MgGraph -Scopes "Directory.Read.All", "Group.ReadWrite.All"
$GroupName = "<GroupName>"
$templateId = (Get-MgBetaDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "group.unified.guest"}).Id
$groupID = (Get-MgBetaGroup -Filter "DisplayName eq '$GroupName'").Id
$params = @{
    templateId = "$templateId"
    values = @(
        @{
            name  = "AllowToAddGuests"
            value = "$false"
        }
    )
}
$setting = New-MgBetaGroupSetting -GroupId $groupID -BodyParameter $params
Write-Host "Guest access has been disabled for group: $GroupName (ID: $groupID)" -ForegroundColor Green