List Microsoft 365 Users Direct Membership Using PowerShell

Every M365 user is not just part of Microsoft 365 groups alone —they also belong to directory(admin) roles & administrative units (AU) in Microsoft Entra ID. However, with so many interconnected parts to consider, it’s easy to get lost in the details!

Knowing where a user belongs is crucial for efficient administration, and that’s what we’ll cover in this blog! 😉This blog provides a PowerShell script to help you find users’ direct memberships in Microsoft 365. The script identifies not only Microsoft 365 groups but also directory roles & administrative units a user is directly assigned to. Let’s get started!

Admins must manually open each user, navigate relevant tabs, and finally identify the Entra role assignments and Administrative Units they belong to. Adding insult to injury, it’s impossible to see all the above in one place. Finding user memberships across Microsoft 365 requires manual navigation, switching & analysis!

Previously, the Get-AzureADUserMembership cmdlet listed users’ direct memberships, and the Get-AzureADAdministrativeUnitMember listed admin unit members. However, these were deprecated in March 2024, leaving admins in a bind. Now, you must use Microsoft Graph (PowerShell & API) methods to get Microsoft 365 user group membership reports.

Looping and scripting might not be your forte, but it’s ours! 😌 So, here is a powerful PowerShell script that lists the groups, admin roles, and administrative units a user is directly a member of, all in a single click. 🚀

Download Script: ListM365UsersDirectMembershipReport.ps1

• The script exports 3 different CSV reports.
  • Users’ direct group membership report
  • Users with admin roles
  • Users with their administrative units
• Retrieves guest user memberships, too.
• Allows you to get specific user’s direct membership within existing objects separately.
• You can import a CSV and filter down memberships for a list of users, too!
• Automatically install the required Microsoft Graph modules with your confirmation.
• The script can be executed with an MFA-enabled account.
• Exports report results as a CSV file.
• The script is scheduler-friendly, making it easy to automate.
• It supports certificate-based authentication (CBA) too.

You will never need to switch multiple tabs hereafter! This PowerShell script exports 3 different reports to find groups, directory roles, and Azure AD administrative units a user is a direct member of in a few minutes!

The script exports all users along with their relevant Microsoft 365 group, distribution group, security group, and mail-enabled security group memberships with the following attributes:

• Username
• UPN
• Group name
• Group Description
• Group Mail Id
• Group Created date and time
• Group Id
• User’s sign-in status
• User’s department
• User’s job title

Note: The user’s sign-in status, department, and job title will be exported on all 3 reports.

This script also exports reports showing users and their assigned admin roles within your Microsoft 365 tenant, including the relevant attributes.

• Username
• UPN
• Directory role name
• Directory role description
• Directory role Id

Not done yet! Yet another highly sought-after but rarely answered report – to find the Microsoft Entra ID administrative units a user is directly a member of. This report will hold the following attributes:

• Username
• UPN
• Administrative Unit (AU) name
• Administrative Unit (AU) Id

Downloaded the script? Great! Here’s how to run it in Windows PowerShell. Choose the method that fits your needs:

Method 1: You can run the script for both MFA-enabled and non-MFA accounts.

Method 2: For certificate-based authentication, execute the script using the following essential parameters.

Further, if you want to automate the script, you can  schedule the PowerShell script in the Task Scheduler or Azure Automation to get the report periodically.

Alright, we’ve discussed the reports and how to run them. Now, let’s delve into using them effectively. To ensure you don’t miss anything, we’ll break down each report and show you how to get the most out of it.

This script uses Get-MgUserMemberOf cmdlet to list all the Entra ID groups a user belongs to.

• Along with internal users’ group memberships; it also includes external users’ group memberships, hitting two targets with one shot!

• The script can determine group memberships beyond Microsoft 365 group memberships! You can also see if a user is a member of distribution groups, security groups, or mail-enabled security groups. Plus, it spills the beans on details like group visibility, creation time, ID, and more.

Overall, this report helps you to manage groups in Microsoft 365 effectively and ensure only the right people are within it.

Ensuring that only authorized users have administrative privileges is crucial for M365 security.

• That’s where you can use this report to find the admin role(s) assigned to each user in your Microsoft 365 environment. Frequently checking this report helps you maintain the least privileged access principle correctly!

Administrative units in Entra ID are great for logically grouping and managing users and resources based on specific benchmarks. Understanding Azure AD administrative units isn’t hard, but understanding their membership is what matters most.

Don’t worry—😉 we’ve simplified it with this PowerShell script!

• The generated CSV file will show memberships in both static and dynamic administrative units in Entra ID.

• Plus, the generated report will include restricted management administrative units in Entra ID. Due to its highly privileged nature, restricted administrative management unit membership should always be monitored more closely.

Want to check the memberships for a specific user? No need to generate reports for everyone! Just input the user’s ID into the script using the -UserId parameter.

Running the above cmdlet will generate three detailed CSV reports: the specific user’s direct group memberships, assigned admin roles, and the administrative units they belong to.

Now that you know how to find a specific user’s memberships, let’s tackle how to do this for bulk users.

• Create a CSV file with the User IDs of the users you’re interested in. Then, use the -CSV parameter to provide the file path.
• This will eventually export the groups, directory roles, and AUs for everyone on your list. It’s that simple!

Sample Input CSV file:

All three reports include a ‘Sign-in status’ column that shows whether user accounts are enabled or disabled.

• This can help you quickly find disabled users in Microsoft 365 who might need attention, such as license removal, status review, or account clean up, to maintain an organized & efficient environment.

And there you have it! So, you’ve seen all this script can do! It cuts through the confusion by showing you exactly where your users are residing within your Microsoft 365.

PowerShell is definitely a handy tool, but when it comes to filtering by specific users & groups, comparing group memberships, and finding comprehensive counts, we need to go beyond n loops. 🫤

But what if you could find all this information without the hassle of complex scripts and for free? 😉 Well, you can. You’re not dreaming!

AdminDroid Free Azure AD reporting tool provides a full suite of Azure AD reports at no cost! You’ll have access to over 100 reports covering users, licenses, logins, passwords, license changes, and 10+ dashboards. You can monitor the following group reports for Microsoft 365 without spending a dime.

Group Types:

• Security Groups
• Distribution Groups
• Mail Enabled Groups
• Synced Groups
• Cloud Groups
• Dynamic Distribution Groups
• Empty and Deleted Groups

Group Membership:

• Microsoft 365 Group User Members
• Distribution Group Members
• Nested Distribution Group Members
• Groups with Contacts as Members
• Office 365 Group Hidden Membership

For real-time insights into group changes, including every modification, AdminDroid Azure AD audit reports offer a deeper level of monitoring.

Audit Group Changes:

• Microsoft 365 Group Creation, Modification, Deletion
• Microsoft 365 Group Setting Changes
• Microsoft 365 Group License Changes
• Microsoft 365 Group Owner Changes
• A Comprehensive Summary of All the Group Operations

Users aren’t just members of groups; they also belong to CA policies, mailbox permissions, SharePoint groups, and more. Spotting these with scripting is a challenge, and as admins, you know the struggle!

AdminDroid can be your savior! 😌 It digs deeper than group memberships; from access control to Teams and app assignments, you can see where your users are involved with detailed stats & conduct in-depth analyses.

👉AdminDroid Microsoft 365 reporting tool provides 1,900+ pre-built reports and 30+ visually stunning dashboards that cover every Microsoft 365 service. These reports offer comprehensive insights, including usage statistics, security details, audit details, etc…

Beyond reporting, AdminDroid has robust features like AI-powered charts, customized filters, smart alerts, schedule reports, and more!

Download AdminDroid now and see how it can turn your Microsoft 365 admin tasks from complex to simple.

I hope this blog provides the answers you were looking for! 🙂 If you have any questions or need further help, drop a comment—we’re here to assist.