Microsoft offers various group types, such as security groups, Microsoft 365 groups, distribution groups, mail-enabled security groups, and dynamic distribution groups. Except for Microsoft 365 groups, other group types can be nested, meaning one group can be added as a member of another. This nesting creates a more organized and hierarchical structure, making it easier to manage access, permissions, and collaboration within an organization.
When you nest groups, it’s essential to understand how they are structured and organized to maintain a smooth and secure management system. Tracking M365 nested groups ensures that permissions and access rights are properly inherited, preventing confusion or overlap in group membership.
In this blog, we’ll explore several methods for generating reports on nested groups in Microsoft 365, helping you gain better visibility into your group structures and manage them more effectively.
How to Get a List of Nested Groups in Microsoft 365?
To find nested AD groups within a parent group, you can use the following methods:
Microsoft Entra admin center: To view all the nested groups inside a parent group using Microsoft Entra admin center, follow the steps below.
- Log in to the Microsoft Entra admin center
- Navigate to Groups -> All groups.
- Then, select a specific group, click on Members in the left navigation pane. This will show all the members and groups that are part of the selected group.
- To see all members, including those in nested groups, switch to the All Members tab.
However, trying to view the hierarchy through the portal can be challenging. To access the members of each group, you have to open each one individually. This process can quickly become confusing and time-consuming, making it difficult to build a detailed and comprehensive report.
PowerShell: Another way to identify nested groups is by using Microsoft Graph PowerShell. The Get-MgGroupMemberAsGroup cmdlet allows you to find nested groups within a parent group. However, to list all nested groups across your Microsoft 365 environment, you need to run the cmdlet for each group individually.
To simplify the process, we’ve developed a custom PowerShell script that exports a list of all nested groups that are members of another group.
Download Script: GetNestedGroups.ps1
Script Highlights
- The script exports 2 different CSV reports:
i) M365 nested groups summary report
ii) M365 nested groups detailed report - Exports nested group reports based on group types, such as Security, Distribution list, Mail-enabled security.
- Automatically installs the required Microsoft Graph module with your confirmation.
- The script can be executed with an MFA-enabled account too.
- Supports Certificate-based Authentication too.
- The script is scheduler friendly.
Microsoft 365 Nested Groups Report – Sample Output
The script analyzes and exports two reports such as “M365 nested groups summary report” and “M365 nested groups detailed report”.
M365 Nested Groups Summary Report:
A high-level report summarizing all the nested groups within your Microsoft 365 environment. The script exports this report with the following attributes:
- Group Name
- Group Type
- Group Email Address
- Nested Group Names
- Nested Groups Count
- Group Id
M365 Nested Groups Detailed Report:
A comprehensive report offering a deeper look into the relationships between parent and nested groups. The script exports this report with the following attributes:
- Parent Group Name
- Nested Group Name
- Nested Group Type
- Nested Group Email Address
- Members Count in Nested Group
Generating Microsoft Nested Groups Report – Script Execution Steps
- Download the script.
- Start the Windows PowerShell.
- Select any of the methods provided to execute the script.
Method 1: Execute the script with MFA or non-MFA account.
1 |
.\GetNestedGroups.ps1 |
This script will generate an Excel file listing the nested groups, along with their member count.
Method 2: Execute the script using certificate-based authentication. To use certificates, you must register the app in Microsoft Entra and connect to MS Graph using certificate.
1 |
.\GetNestedGroups.ps1 -TenantId <TenantId> -ClientId <ClientId> -CertificateThumbprint <CertThumbprint> |
The script is scheduler friendly. You can schedule the script using the Task scheduler or Azure Automation.
Get the Best Out of the Script
This script is packed with filters to meet a variety of needs. Here’s how to maximize its potential:
- Get all distribution lists with nested groups
- Find all nested groups within security groups
- Export all nested groups within mail-enabled security groups
1. Export All Nested Groups within Distribution Lists
By default, the script exports all types of nested groups. However, if you want to focus specifically on nested groups within distribution lists, you can use the –DistributionList switch. This is particularly useful when you’re auditing distribution groups to ensure proper membership and email routing.
1 |
.\GetNestedGroups.ps1 -DistributionList |
The resulting report will export all nested groups within distribution lists in Microsoft 365.
Note: To further analyze group membership, you can export distribution group members and nested distribution group members, giving you a detailed view of the membership hierarchy.
2. Find All Nested Groups within Security Groups
To get an overview of all nested groups within security groups, use the –Security switch. This ensures precise access control and efficient permission management.
1 |
.\GetNestedGroups.ps1 -Security |
This command generates a report listing all security groups with nested groups in Microsoft 365.
3. Export All Nested Groups within Mail–Enabled Security Groups
In environments where email and security are closely tied, managing mail-enabled security groups is crucial. Using the –MailEnabledSecurity switch helps you identify all mail-enabled security groups with nested groups, streamlining group membership management.
1 |
.\GetNestedGroups.ps1 -MailEnabledSecurity |
The exported report contains all nested groups in mail-enabled security groups.
Now that we’ve covered how to list nested groups in Microsoft 365, identifying all the groups a user belongs to helps manage access and ensures their memberships align with organizational policies.
Find Nested Groups Effortlessly with AdminDroid for Free
Tired of the complexity in managing groups and generating reports in Microsoft 365? AdminDroid makes it effortless! With AdminDroid’s free Azure AD reporting tool, users can unlock a powerful suite of Microsoft 365 group reports. This tool provides detailed insights into group memberships, activities, and permissions, all backed by customizable dashboards to make your management quick and easy.
Some of the Microsoft 365 group reports offered by AdminDroid include:
Group Reports:
- Security Groups
- Distribution Groups
- Mail-Enabled Groups
- Synced Groups
- Cloud Groups
- Dynamic Distribution Groups
- Empty and Deleted Groups
Group Membership:
- Microsoft 365 Group User Members
- Distribution Group Members
- Nested Distribution Group Members
- Groups with Contacts as Members
- Office 365 Group Hidden Membership
- Group Membership Changes
Audit Group Changes:
- Microsoft 365 Group Creation, Modification, Deletion
- Microsoft 365 Group Setting Changes
- Microsoft 365 Group License Changes
- Microsoft 365 Group Owner Changes
- A Comprehensive Summary of All the Group Operations
Moreover, AdminDroid’s free Azure AD auditing tool offers unmatched insights into user activities, group dynamics, and password changes, etc.
But that’s not all. AdminDroid’s Microsoft 365 management tool takes it a step further, offering over 1900 pre-built reports and 30+ dashboards covering every aspect of Microsoft 365 services. From SharePoint to Exchange Online, Teams to Power BI, and Yammer, AdminDroid covers it all. Plus, enjoy a 15-day premium trial with full access to advanced features like reporting, alerting, delegation, and compliance.
Download AdminDroid today and experience the ease of comprehensive Microsoft 365 reporting!
We hope this blog has been useful in providing you with the PowerShell script to retrieve all nested groups in Microsoft 365, enabling easier group management. Thanks for reading. For further queries, reach out to us in the comments section.