4 Useful Scripts with Get-MgGroupOwner in PowerShell

Every Microsoft 365 Group should have at least one owner. Owners are responsible for managing membership, approving access, and maintaining the group’s purpose. If groups don’t have owners, they often become “orphaned” and unmanaged — which can lead to security risks and compliance issues.

The Get-MgGroupOwner cmdlet in Microsoft Graph PowerShell helps you quickly retrieve group owners, validate ownership, and generate ownership reports.

In this article, you’ll learn 4 useful scripts that cover common real-world admin scenarios, explained in a beginner-friendly way.

Prerequisites

Before running the scripts, install and connect to Microsoft Graph PowerShell:

Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "Group.Read.All","User.Read.All"
                                        

You also need the GroupId (GUID) of the Microsoft 365 Group you’re working with.

• Script 1: Retrieve Group Owner IDs

This example demonstrates how to retrieve only the owner IDs of a specified Microsoft 365 Group using the Get-MgGroupOwner cmdlet.

Get-MgGroupOwner -GroupId '7bf57d88-42e1-4c8b-8a44-5a6f04a29073' | Select-Object Id

Explanation:

This is the simplest way to check who owns a group.

Get-MgGroupOwner returns directory objects that are owners, and Select-Object Id filters the output down to only their IDs.

This is useful when you want a clean list of Owner GUIDs for further processing in scripts.

• Script 2: Retrieve Group Owners with Additional Information

To get detailed information about each owner (like their email address and user principal name), we can nest the Get-MgUser cmdlet within Get-MgGroupOwner. This provides more valuable data about the group owners.

# Retrieve the detailed information of group owners

$owners = Get-MgGroupOwner -GroupId '7bf57d88-42e1-4c8b-8a44-5a6f04a29073'
    foreach ($owner in $owners) {
        Get-MgUser -UserId $owner.Id | Select-Object DisplayName, Mail, UserPrincipalName
    }
                                            

Explanation:

Get-MgGroupOwner alone doesn’t always show friendly details like email or UPN.

So this script:

1. Gets owners from the group
2. Loops through each owner
3. Pulls full user details using Get-MgUser

This produces a readable owner list with DisplayName, Mail, and UserPrincipalName.

• Script 3: Identifying Groups Without Owners

It's crucial to ensure that all Microsoft 365 groups have assigned owners to maintain proper management and oversight. Using Get-MgGroupOwner, administrators can identify groups that currently lack an owner:

$groups = Get-MgGroup -All
foreach ($group in $groups) {
    $owners = Get-MgGroupOwner -GroupId $group.Id
    if ($owners.Count -eq 0) {
        Write-Host "Group '$($group.DisplayName)' has no owners assigned."
    }
}
                                            

Explanation:

This script audits the whole tenant:

• Get-MgGroup -All collects every group
• It checks owners for each group
• If owner count is zero, it flags that group

This is one of the most important governance checks you can run, because ownerless groups often become unmanaged over time.

• Script 4: Generating Group Ownership Reports

Companies often require reports that list all groups and their respective owners. By using Get-MgGroupOwner in conjunction with Get-MgUser, administrators can create comprehensive reports that include details like owners' names, email addresses, and user principal names.

$groups = Get-MgGroup -All
    foreach ($group in $groups) {
        $owners = Get-MgGroupOwner -GroupId $group.Id
        foreach ($owner in $owners) {
            $user = Get-MgUser -UserId $owner.Id
            Write-Output "Group: $($group.DisplayName) - Owner: $($user.DisplayName), $($user.Mail), $($user.UserPrincipalName)"
        }
    }
                                            

This script generates a list of groups along with their owners' details, making it easier to review ownership and ensure compliance with organizational policies.

Explanation:

This builds a full cross-tenant ownership report:

• Gets all groups
• Retrieves owners per group
• Pulls each owner’s details
• Outputs results in a readable “Group → Owner” format

Perfect for audits, compliance reviews, or quarterly ownership checks.

Cmdlet Tips

• Owners may include users or service principals — not only people.
• If you need friendly values (mail, UPN), always pair with Get-MgUser (like Example 2 and 4).
• Use ownership audits regularly to avoid orphaned groups.
• For large tenants, export output to CSV after generating the report.
• If you see empty results, confirm the group really has owners in Entra ID.

Possible Errors and Solutions

Error	Cause	Solution
Insufficient privileges to complete the operation	Missing Graph scopes	Reconnect with "Group.Read.All","User.Read.All"
Group not found	Wrong GroupId	Verify the ID using Get-MgGroup
Request_UnsupportedQuery	Using advanced queries without consistency level	Add -ConsistencyLevel eventual only when required
Owners.Count is null	Group returns no owners	Handle empty results safely (as Example 3 does)

Conclusion

The Get-MgGroupOwner cmdlet is a must-have tool for Microsoft 365 admins. It helps you:

• retrieve owner IDs quickly
• fetch readable owner information
• detect ownerless groups
• generate full ownership reports for audits

These 4 scripts give you a solid foundation for everyday administration and governance. Once you’re comfortable with them, you can extend the logic into scheduled compliance jobs or tenant-wide reporting workflows.