🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
SharePoint Online

How to Export SharePoint Online Group Membership Changes Report

Have you ever faced sudden unexpected modifications in SharePoint Online group memberships? Such changes can lead to unauthorized access or the loss of important data. Thus, it’s essential to audit SharePoint group membership changes to reduce these security risks. This guide will show you how to audit group member additions and removals along with some best practices to manage SharePoint Online group memberships.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Using Microsoft 365 Audit Logs

Microsoft 365 Permission Required
Global Admin, Exchange Admin, or Compliance Admin.
  • Login to the Microsoft Purview compliance portal.
  • Under the Solutions section, select Audit.
  • If required, customize the date and time range.
  • Click on the Activities – friendly names drop-down and select "Added user or group to SharePoint group" and "Removed user or group to SharePoint group" options.
  • Click on Search. Once the search is completed, you can export the SharePoint Online group membership changes report.
Using Microsoft 365 Audit Logs
Note: To access activities that happened beyond 180 days, you need to have licensing for long-term audit log retention.

Using Windows PowerShell

Microsoft 365 Permission Required
Global Admin, Exchange Admin, or Compliance Admin.
  • Connect to Exchange Online PowerShell using the below cmdlet.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Run the below cmdlet to track group membership changes in SharePoint Online.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -StartDate mm/dd/yyyy -EndDate mm/dd/yyyy -RecordType SharePointSharingOperation -Operations AddedToGroup,RemovedFromGroup |Format-Table CreationDate,UserIds,Operations -AutoSize
Using Windows PowerShell

Using PowerShell Script

Microsoft 365 Permission Required
Global Admin, Exchange Admin, or Compliance Admin.
  • The above cmdlet retrieves results in JSON format, which needs to be processed further to get details, such as who removed or added a user to a SharePoint Online group.
  • To simplify this task, we have crafted a PowerShell script that provides complete information to track SharePoint group membership changes.
  • Download and run the following script in the Administrator PowerShell.
Using PowerShell Script
AuditSPOGroupMembershipChanges.ps1
AdminDroid SharePoint Online Reporter

Examine unauthorized modifications to SharePoint group memberships!

The AdminDroid SharePoint Online auditing tool helps you to stay informed about all group membership activities happening in your organization. It also includes dedicated reports to check the presence of external users in SharePoint groups, which helps you to know whether they have access to any confidential sites.

Audit Changes to SharePoint Online Groups

Visualize SharePoint Online group modifications using charts to depict the users responsible for creating or updating groups and managing their memberships.

Review User Activities in SharePoint Online

AdminDroid’s SharePoint Online user activity reports help you to identify and remove inactive users from SharePoint groups.

Access SPO Group Membership List

Export SharePoint Online group members to excel and other formats to your local system for accessing group memberships at any time.

Track SharePoint Admin Access Removals

Get real-time alerts on SharePoint Online site admin removals and add them back to the relevant groups if necessary.

Monitor SharePoint Guests’ Group Membership

Utilize AdminDroid's advanced scheduling for regular updates of the SharePoint Online guest users list sent to your mailbox. This will enable you to monitor guest access in SharePoint groups.

Inspect Sharing Invitations in SharePoint Online

Find out who is inviting users in SharePoint Online and modify the group settings to block unintended users from sending invitations.

AdminDroid streamlines SharePoint Online group management by offering real-time insights, customizable reports, and proactive monitoring capabilities. By tracking SharePoint group membership changes, you can ensure that permissions are appropriately managed and unauthorized access is promptly addressed.

Explore a full range of reporting options
Download Live Demo

Important Tips

Restrict domain sharing in SharePoint Online to allow users only from specific external domains to be a member of SharePoint groups.

Configure DLP policies in SharePoint Online to avoid sensitive data sharing by SPO group members.

Review empty SharePoint Online groups and promptly remove them to maintain an organized Microsoft 365 environment.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints while tracking SharePoint group membership changes.

Error You do not have permission to view the membership of the group.

This happens when you try to list the members of other SharePoint groups.

Fix Run the below cmdlet to view group membership in SharePoint Online. 
Set-PnPGroup -Identity "<GroupName>" -OnlyAllowMembersViewMembership:$false

Error A domain group cannot be the owner of a group.

This error occurs when you try to assign the group’s owner permissions to other groups that are not part of the SharePoint site.

Fix Assign group owner permissions only to those groups within the SharePoint site.

Error Add-SPOUser : The specified user could not be found.

This happens when you add an external user to a SharePoint Online site that does not have permission to add new guests.

Fix Run the below cmdlet to allow sharing SharePoint sites with new guest users. 
Set-SPOSite -Identity "<SiteURL>" -SharingCapability ExternalUserSharingOnly

Error Set-PnPGroup : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).

This error occurs when you don’t have the group's owner permission in SharePoint Online.

Fix Run the below cmdlet to assign the group owner permission in SharePoint Online. 
Set-SPOSiteGroup -Site "<SiteURL>" -Identity "<GroupName>" -Owner "<OwnerUPN>"
SharePoint Online
Frequently Asked Questions

Monitor SharePoint Group Membership Changes to Identify and Remove Suspicious Users in Microsoft 365

What are the default permission groups in SharePoint Online?
How to add users to a SharePoint Online group?
How to hide SharePoint Online group membership?
How to get a list of members in a SharePoint Online group?
How to change permissions for a group in SharePoint Online?

1. What are the default permission groups in SharePoint Online?

SharePoint Online groups offer a streamlined approach for managing permissions and regulating access to your documents. Instead of assigning permissions individually to users, you can add users to a SharePoint group and assign required permissions to it. Thus, the given permissions will be assigned to all the group members which streamlines user privilege management and ensures consistent access control across SharePoint Online.

When a new SharePoint Online site is created, the following groups are created automatically.

  • Site Owners : Users who are designated as owners of the site are automatically added to a security group. This security group is then included in the Site owner group to grant them "Full Control" over the site.
  • Site Members : Similarly, users who are designated as members of the site are automatically added to another security group. This security group is then included in the Site member group to grant them "Edit" permission over the site.
  • Site Visitors : By default, this group will be empty. When you assign "Read" permission to a user, they will be automatically added to this group.
Here’s a brief scenario,
  • Imagine you’ve created a SharePoint site named "Sales and Marketing" with some owners and members.
  • Now, they will be added to respective security groups named "Sales and Marketing Owners" and "Sales and Marketing Members".
  • These security groups are then added to the default SharePoint permission groups named "Site Owners" and "Site Members".
  • If you share the site with users by assigning read permissions, they will be added to the default SharePoint permission group named "Site Visitors".

You can check it by navigating to Settings»Site permissions in your SharePoint Online site.

sharepoint-groups

Additionally, you can create and manage groups in SharePoint Online based on various criteria such as department, project, or specific roles within the organization.

Create a group in SharePoint Online

  • Navigate to the desired SharePoint Online site. Click on the Settings (gear icon) and select Site permissions»Advanced permission settings.
  • Click on Create Group and provide a name and description. Select a group owner and permission level. If you wish, you can also adjust group settings and manage membership requests. Once finished, click on Create.

Delete a group in SharePoint Online

To delete a SharePoint group, simply select the desired group. Choose "Group Settings" under the Settings drop-down menu. Now, click on the Delete option located at the bottom.

2. How to add users to a SharePoint Online group?

You can add users to an existing or newly created SharePoint Online group by following the steps below.

  • Go to the desired SharePoint Online site.
  • Navigate to Settings»Site permissions»Advanced permission settings.
  • Click on the SharePoint group to which you want to add users. Under the New drop-down box, select "Add users to this group".
  • Type the Microsoft 365 usernames you want to add. You can also add external users to a SharePoint group by typing their email addresses.
  • If you prefer to add users without invitation, click on Show Option and uncheck the "Send an email invitation" checkbox to disable it.
add-users-spo-groups

Similarly, to remove users from a SharePoint group, click on the desired user/group. Under the Actions drop-down box, select "Remove Users from Group".

AdminDroid helps you to manage SharePoint Online groups by offering insights into all the group memberships and sharing related activities.

3. How to hide SharePoint Online group membership?

When you create a SharePoint group, everyone on the site can view its members. However, if the group is intended for sensitive roles, you may not want to disclose their identities to other groups' members. In such cases, you can customize the group settings to hide this information.

  • Locate to the desired SharePoint Online site.
  • Tap on the Settings icon and select Site permissions»Advanced permission settings.
  • Click on the SharePoint group whose membership you wish to hide. Under the Settings drop-down, select Group Settings.
  • Under "Who can view the membership of the group?", select the Group Members option. It ensures that only members within the group can view its membership details.
  • Once done, click on OK.

You can also use PnP PowerShell to hide group membership information in SharePoint Online.

Connect-PnPOnline -Url <DesiredSite’sURL> -Interactive
Set-PnPGroup -Identity "<GroupName>" -OnlyAllowMembersViewMembership:$true

AdminDroid provides a detailed report on changes made to SharePoint group settings that helps you to revert inappropriate modifications.

  • By consistently reviewing the Updated SharePoint Groups report, you can determine who changed the group's name, who has permission to view or edit group membership, and how membership requests are handled.
updated-sharepoint-groups

Handy Hint: You can refer to the "Modified Properties" column to check the modified settings and revert them if required.

4. How to get a list of members in a SharePoint Online group?

When you add a user to a site or share access with them, they are automatically included in the SharePoint Online members or visitors groups. Therefore, it's crucial to regularly review the list of members in SharePoint groups and identify any unwanted users who may no longer require access.

Check group membership in SharePoint Online

  • Login to the desired SharePoint Online site. Click on the Settings icon and select Site permissions»Advanced permission settings.
  • Choose the desired SharePoint group. Here, you can see all group members including individual users and security groups.

Get SharePoint group membership list using PowerShell

Run the Get-SPOUser cmdlet below to view group membership in SharePoint Online.

Connect-SPOService –Url <SPOAdminCenterURL>
Get-SPOUser -Site "<DesiredSiteURL>" ‐Group "<SharePointGroupName>"
get-spo-user

Navigating to each SharePoint group to check its membership details might be a time-consuming task. Similarly, with PowerShell, you need to manually specify each group to view the membership list.

Conversely, AdminDroid provides you the list of all SharePoint group members and their details in a single report.

  • The SharePoint Group Members report shows all security groups and users added as members of a SharePoint group. You can refer to the "MemberType" column to identify the type of membership.
sharepoint-group-members

Handy Hint: Utilize AdminDroid’s easy filter functionality for "User Name" to check the SharePoint groups a user is a member of.

5. How to change permissions for a group in SharePoint Online?

If you feel that a group has excessive or insufficient permissions within a SharePoint site, you can edit their permission levels by following the steps below.

  • Navigate to the desired SharePoint Online site. Click on the Settings icon and select Site permissions»Advanced permission settings.
  • Select the desired SharePoint group and tap on Edit User Permissions. Choose the required permission level and click on OK.
spo-group-permissions

You cannot edit permission levels for default groups directly in SharePoint Online. However, you can customize the SharePoint Online permission levels of these default groups using PowerShell.

Connect-PnPOnline -Url <DesiredSite’sURL> -Interactive
Set-PnPGroup -Identity "<GroupName>" -AddRole "<NewPermission>" -RemoveRole "<OldPermission>"

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
SharePoint Online
How to Export SharePoint Online Group Membership Changes Report
SharePoint Online Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo