Find Groups with Disabled Users in Microsoft 365

Offboarding users in Microsoft 365 involves more than just blocking sign-ins; there’s a hidden complication that many overlook. Disabled accounts tied to groups hinder group management by inflating group sizes, making it harder to track active members and maintain compliance with access policies.

To maintain a secure and streamlined environment, regularly identifying and removing sign-in blocked users from groups is essential. In this blog, we’ll show you how to identify groups with disabled users in Microsoft 365, ensuring your group management stays secure and organized.

Here are a few methods to find groups with disabled users in Microsoft 365.

Using Microsoft 365 Admin Center:

To view groups with disabled users in Microsoft 365, follow the steps below.

• Go to the Microsoft Entra admin center -> Groups -> All groups
• Click on a group and go to the Members/Owners section.
• Click on a user’s name to view their details.
• Check the Account status to see if the account is enabled or disabled.

This process can be tedious since you need to check each group individually for disabled users.

Using PowerShell:

Another method to identify disabled users in groups is by using Microsoft Graph PowerShell. You can use the Get-MgGroupMemberAsUser and Get-MgGroupOwnerAsUser cmdlets to retrieve disabled users by applying specific conditions. However, this needs to be performed for each group using loops, which can be time-consuming.

To make this process easier, we’ve created a custom PowerShell script that exports a comprehensive list of groups with disabled members and owners, including extra details for better insights.

Download Script: GroupsWithDisabledUsers.ps1

• Exports disabled users based on group types, such as Microsoft 365, Security, Mail-enabled security, and Distribution list.
• Provides counts for disabled members and disabled owners in each group.
• Automatically installs the required Microsoft Graph PowerShell module with your confirmation.
• The script can be executed with an MFA-enabled account too.
• Supports Certificate-based Authentication too.
• The script is scheduler friendly.
• Exports report results into a CSV file.

The exported report on Office 365 groups with disabled users looks like the screenshot below.

The script exports all groups with disabled users with attributes like Group Name, Group Email Address, Group Type, Is Dynamic Group, Total Members Count, Total Owners Count, Disabled Members Count, Disabled Owners Count, Disabled Members, Disabled Owners, CreatedDateTime, and Group Id.

💡 Tip: By identifying groups with disabled owners, you can proactively add new active owners to ensure smooth management and prevent potential access issues. This helps maintain control and prevents groups from becoming ownerless, especially for large groups that may need more oversight.

1. Download the script.
2. Start the Windows PowerShell.
3. Select any of the methods provided to execute the script.

Method 1: Execute the script with an MFA or non-MFA account.

This method will display a list of groups with disabled users in Microsoft 365.

Note: In Microsoft 365, groups are often tied to group-based licensing. Therefore, identifying groups with disabled users also prevents unnecessary license consumption and reduce licensing costs.

Method 2: Execute the script using certificate-based authentication.

To use certificates, you must register the app in Microsoft Entra which helps you connect to MS Graph using certificate.

The above method is scheduler friendly. You can schedule the script using the Task scheduler or Azure Automation.

With a range of filters built in, this script can meet different requirements. Here’s how to make it work for you:

• Find all Microsoft 365 groups with disabled users
• Get all security groups with disabled users
• Export all mail-enabled security groups with disabled users
• Get all distribution lists with disabled users

By default, the script exports all types of groups with disabled users. However, if you want to focus specifically on Microsoft 365 groups with disabled members/owners, you can use the –M365GroupsOnly switch.

The resulting report will export all Microsoft 365 groups that have disabled users. This helps administrators efficiently track and manage group memberships, ensuring that only active users retain access.

To maintain efficient access control, it’s important to ensure that security groups do not include disabled users. Use the –SecurityGroupsOnly switch to find all security groups with disabled users.

This format generates a report listing all security groups containing disabled users in Microsoft 365.

Mail-enabled security groups are used to manage access and communication for multiple users through email. It’s important to identify groups with disabled members or owners to maintain accurate communication and security. Use the –MailEnabledSecurityGroupsOnly switch to export all mail-enabled security groups with disabled users.

This format generates a report listing all mail-enabled security groups containing disabled users in Microsoft 365.

Ensuring that disabled accounts are not retained as members of distribution lists helps prevent unnecessary email traffic. To find all distribution lists with disabled users, use the –DistributionListsOnly switch.

This format generates a report listing all distribution lists containing disabled users in Microsoft 365.

Struggling to manage groups and generate comprehensive reports in Microsoft 365? AdminDroid simplifies the process! With AdminDroid’s free Entra ID reporting tool, you can easily obtain detailed insights about Microsoft 365 groups, including disabled members and owners.

Additionally, you’ll get data on group memberships, usage patterns, empty groups, storage trends, and more, making overall group management smoother than ever.

Some of the Microsoft 365 group reports offered by AdminDroid include:

Group Reports:

• Security Groups
• Distribution Groups
• Mail-Enabled Groups
• Synced Groups
• Cloud Groups
• Dynamic Distribution Groups
• Empty and Deleted Groups
• Groups with Disabled Users

Group Membership:

• Microsoft 365 Group User Members
• Distribution Group Members
• Nested Distribution Group Members
• Groups with Contacts as Members
• Office 365 Group Hidden Membership

Audit Group Changes:

• Microsoft 365 Group Creation, Modification, Deletion
• Microsoft 365 Group Setting Changes
• Group Membership Changes
• Microsoft 365 Group License Changes
• Microsoft 365 Group Owner Changes
• A Comprehensive Summary of All the Group Operations

AdminDroid’s free Entra ID auditing tool gives you unparalleled insights into user activities, group dynamics, password changes, and more. And there’s even more to benefit from.

With AdminDroid’s Microsoft 365 management tool, access over 1,900 pre-built reports and 30+ dashboards across services like SharePoint, Exchange Online, Teams, Power BI, and Yammer.

Unlock advanced features with a 15-day premium trial, including comprehensive reporting, alerting, delegation, and compliance tools.

Download AdminDroid today and experience effortless Microsoft 365 reporting.

We hope this blog has been useful in providing you with the PowerShell script to retrieve all groups with disabled users in Microsoft 365, enabling easier group management. Thanks for reading. For further queries, reach out to us in the comments section.