How to Report All Users and Group Membership With Microsoft Graph PowerShell

Identifying which groups a user is a member of as an administrator is quite simple if you only need to find out for a single user. From Microsoft Entra, you can simply find the target user and click on the Groups tab. However, using the admin portal isn’t always preferred, especially if you need to look up this information often or need to find out every user’s group memberships.

In this tutorial, I am going to show you how you can use Microsoft Graph PowerShell to produce a report of all user’s group memberships.

About Get-MgUserMemberOfAsGroup

The Get-MgUserMemberOfAsGroup cmdlet allows you to find which groups a user is a member of, this is helpful while trying to troubleshoot access-based issues or evening if you are asked to produce a membership report for a single or all users in your organisation.

The cmdlet is part of the Microsoft.Graph.Users modules and as such, you will need to ensure you have the most up-to-date version of the Microsoft Graph PowerShell modules installed. For details on how to install this module, follow my tutorial on How To Install the Microsoft Graph PowerShell Module.

See the below for further information on this cmdlet:

  • Name: Get-MgUserMemberOfAsGroup
  • Method: GET
  • URI: https://graph.microsoft.com/v1.0/users/{user-id}/memberOf/group
  • Output Type: Object
  • Permissions: User.Read.All, Directory.Read.All

Find all groups a user is a member of

You can use the code below to get a list of groups that a single user is a member of. Ensure you change the -UserId field with the username of your target user.

Connect-MgGraph -Scopes user.read.all, directory.read.all

Get-MgUserMemberOfAsGroup -UserId [email protected]

Your results from the above commands will look like the following:

Get-MgUserMemberOfAsGroup results
Get-MgUserMemberOfAsGroup results

Report all users and group memberships with Microsoft Graph PowerShell

We can expand on our last command to generate a report of all users and their group memberships in our Microsoft 365 tenant. To do this, we will use the ForEach command to loop through each user and add this information to an array. That array will then be exported to a CSV.

For more details on how to generate your own custom reports using ForEach loops, see my tutorial, How to Use a Powershell Foreach Loop With Examples.

Connect-MgGraph -Scopes user.read.all, directory.read.all

$users = Get-MgBetaUser -All
$Report = [System.Collections.Generic.List[Object]]::new()

ForEach ($user in $users){
    $groups = $null
    $groups = Get-MgUserMemberOfAsGroup -UserId $user.UserPrincipalName
    ForEach ($group in $groups){
        $obj = [PSCustomObject][ordered]@{
        "User" = $User.UserPrincipalName
        "Group Name" = $group.DisplayName
        "Is M365 Group" = $(if ($group.GroupTypes -match 'Unified'){"Yes"}Else{"No"})
        "Membership Type" = $(if ($group.GroupTypes -match 'DynamicMembership'){"Dynamic"}Else{"Assigned"})
        "Security Enabled" = $group.SecurityEnabled
        "Mail Enabled" = $group.MailEnabled
        "Mail Address" = $(if ($Group.mail -eq $Null){"N/A"}Else{$group.mail})
         }
         $report.Add($obj)
    }
}

$report | Export-csv -path C:\temp\UserGroupMemberReport.csv

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply