Get Nested Groups in Microsoft 365 Using PowerShell

Microsoft offers various group types, such as security groups, Microsoft 365 groups, distribution groups, mail-enabled security groups, and dynamic distribution groups. Except for Microsoft 365 groups, other group types can be nested, meaning one group can be added as a member of another. This nesting creates a more organized and hierarchical structure, making it easier to manage access, permissions, and collaboration within an organization.

When you nest groups, it’s essential to understand how they are structured and organized to maintain a smooth and secure management system. Tracking M365 nested groups ensures that permissions and access rights are properly inherited, preventing confusion or overlap in group membership.

In this blog, we’ll explore several methods for generating reports on nested groups in Microsoft 365, helping you gain better visibility into your group structures and manage them more effectively.

To find nested AD groups within a parent group, you can use the following methods:

Microsoft Entra admin center: To view all the nested groups inside a parent group using Microsoft Entra admin center, follow the steps below.

• Log in to the Microsoft Entra admin center
• Navigate to Groups -> All groups.
• Then, select a specific group, click on Members in the left navigation pane. This will show all the members and groups that are part of the selected group.
• To see all members, including those in nested groups, switch to the All Members tab.

However, trying to view the hierarchy through the portal can be challenging. To access the members of each group, you have to open each one individually. This process can quickly become confusing and time-consuming, making it difficult to build a detailed and comprehensive report.

PowerShell: Another way to identify nested groups is by using Microsoft Graph PowerShell. The Get-MgGroupMemberAsGroup cmdlet allows you to find nested groups within a parent group. However, to list all nested groups across your Microsoft 365 environment, you need to run the cmdlet for each group individually.

To simplify the process, we’ve developed a custom PowerShell script that exports a list of all nested groups that are members of another group.

Download Script: GetNestedGroups.ps1

• The script exports 2 different CSV reports:
  i) M365 nested groups summary report
  ii) M365 nested groups detailed report
• Exports nested group reports based on group types, such as Security, Distribution list, Mail-enabled security.
• Automatically installs the required Microsoft Graph module with your confirmation.
• The script can be executed with an MFA-enabled account too.
• Supports Certificate-based Authentication too.
• The script is scheduler friendly.

The script analyzes and exports two reports such as “M365 nested groups summary report” and “M365 nested groups detailed report”.

A high-level report summarizing all the nested groups within your Microsoft 365 environment. The script exports this report with the following attributes:

• Group Name
• Group Type
• Group Email Address
• Nested Group Names
• Nested Groups Count
• Group Id

A comprehensive report offering a deeper look into the relationships between parent and nested groups. The script exports this report with the following attributes:

• Parent Group Name
• Nested Group Name
• Nested Group Type
• Nested Group Email Address
• Members Count in Nested Group

1. Download the script.
2. Start the Windows PowerShell.
3. Select any of the methods provided to execute the script.

Method 1: Execute the script with MFA or non-MFA account.

This script will generate an Excel file listing the nested groups, along with their member count.

Method 2: Execute the script using certificate-based authentication. To use certificates, you must register the app in Microsoft Entra and connect to MS Graph using certificate.

The script is scheduler friendly. You can schedule the script using the Task scheduler or Azure Automation.

This script is packed with filters to meet a variety of needs. Here’s how to maximize its potential:

1. Get all distribution lists with nested groups
2. Find all nested groups within security groups
3. Export all nested groups within mail-enabled security groups

By default, the script exports all types of nested groups. However, if you want to focus specifically on nested groups within distribution lists, you can use the –DistributionList switch. This is particularly useful when you’re auditing distribution groups to ensure proper membership and email routing.

The resulting report will export all nested groups within distribution lists in Microsoft 365.

Note: To further analyze group membership, you can export distribution group members and nested distribution group members, giving you a detailed view of the membership hierarchy.

To get an overview of all nested groups within security groups, use the –Security switch. This ensures precise access control and efficient permission management.

This command generates a report listing all security groups with nested groups in Microsoft 365.

In environments where email and security are closely tied, managing mail-enabled security groups is crucial. Using the –MailEnabledSecurity switch helps you identify all mail-enabled security groups with nested groups, streamlining group membership management.

The exported report contains all nested groups in mail-enabled security groups.

Now that we’ve covered how to list nested groups in Microsoft 365, identifying all the groups a user belongs to helps manage access and ensures their memberships align with organizational policies.

We hope this blog has been useful in providing you with the PowerShell script to retrieve all nested groups in Microsoft 365, enabling easier group management. Thanks for reading. For further queries, reach out to us in the comments section.