Ultimate Guide for Using Get-MgGroupMember Cmdlet

Who Are Microsoft 365 Group Members?

Microsoft 365 groups enable seamless collaboration by connecting a group of users to shared tools like Outlook, Teams, SharePoint, and Planner. Each member of a group is an account (user or service principal) that has specific permissions and access to resources.

Admins manage group memberships to:

• Ensure proper access control.
• Facilitate effective communication within teams.
• Maintain up-to-date membership records for security and compliance

Why Use Get-MgGroupMember?

The Get-MgGroupMember cmdlet provides a programmatic way to fetch the members of any Microsoft 365 group. While the Admin Center allows manual membership management, Get-MgGroupMember shines in scenarios requiring:

• Bulk queries for multiple groups.
• Automation of membership monitoring tasks.
• Detailed reporting on group memberships.

Setting Up Microsoft Graph PowerShell

To use the Get-MgGroupMember cmdlet, you need to set up the Microsoft Graph PowerShell module. Here’s how:

1. Install the Module

Run this command in PowerShell to install the module:

Install-Module Microsoft.Graph -Scope CurrentUser

2. Connect to Microsoft Graph

Once installed, connect to your Microsoft 365 tenant:

Connect-MgGraph

3. Disconnect After Use

When finished, disconnect to secure your session:

Disconnect-MgGraph  

Exploring the Get-MgGroupMember Cmdlet

The Get-MgGroupMember cmdlet retrieves members of a specified Microsoft 365 group. Whether you want a quick list of user IDs or detailed user information, this cmdlet offers flexibility and power.

Cmdlet Syntax

Get-MgGroupMember [-GroupId <String>] [-Filter <String>] [-All <Boolean>] [<CommonParameters>]  

Key Parameters & Query Options (Quick Reference)

Understanding the available parameters helps administrators retrieve membership data efficiently.

Usage Examples

1. Passing Group ID Directly

To fetch members of a specific group by its unique ID:

Get-MgGroupMember -GroupId "1cbe8c31-589d-453a-a1e5-045f7f00c967"  

This command returns the IDs of all group members.

2. Passing Group ID When Prompted by Console

If you directly execute the Get-MgGroupMember cmdlet without the group id, the console prompts you to enter the same.

Get-MgGroupMember 

Note: You can get the group id by executing Get-MgGroup cmdlet.
3. Get-MgGroupMember Returns Only Member or User IDs by Default

The output of Get-MgGroupMember includes only the IDs of group members, not personal details like names or email addresses. While this information is sufficient for some use cases, administrators often require additional user details.

Get-MgUser -UserId "john.doe@contoso.com"   

4. Use Get-MgUser with Get-MgGroupMember to Get Detailed User Information

To fetch additional information like DisplayName, UPN, or Mail, combine Get-MgGroupMember with Get-MgUser:

# Retrieve members of a specified group
$groupMembers = Get-MgGroupMember -GroupId "1cbe8c31-589d-453a-a1e5-045f7f00c967"
                            
# Initialize an array to store detailed user information
$userDetails = @()
                            
# Loop through each group member and retrieve additional properties
foreach ($member in $groupMembers) {
    $user = Get-MgUser -UserId $member.Id -Property "id, displayName, userPrincipalName"
    $userDetails += [PSCustomObject]@{
        Id                 = $user.Id
        DisplayName        = $user.DisplayName
        UserPrincipalName  = $user.UserPrincipalName
    }
}
                            
# Display the detailed user information
$userDetails | Select-Object Id, DisplayName, UserPrincipalName  

This script retrieves and displays user details for all group members, providing the information needed for advanced reporting or management tasks.

When Should You Use Get-MgGroupMember?

Use the Get-MgGroupMember cmdlet in the following scenarios:

• Auditing Microsoft 365 group memberships
• Generating access review reports
• Tracking security group members
• Validating onboarding/offboarding processes
• Building governance and compliance reportss

Get-MgGroupMember vs Related Cmdlets

Real-World Admin Scenarios

1. Membership Audit & Compliance Reporting
• Retrieve all members of sensitive groups
• Validate access permissions for compliance audits
2. Offboarding Validation
• Ensure departed employees are removed from all groups
• Prevent unauthorized access retention
3. Tenant-Wide Membership Reporting
• Combine Get-MgGroup with Get-MgGroupMember
• Generate organization-wide membership inventories
💡 This is one of the most common real-world uses of the cmdlet in enterprise environments.
4. Teams Membership Validation
• Since Teams are backed by Microsoft 365 Groups, this cmdlet can help validate Team membership indirectly

Common Limitations & Considerations

Strengths

• Supports detailed membership auditing
• Works with Microsoft 365 and security groups
• Useful for automation and reporting

Limitations

• Requires GroupId for queries
• Large groups may require pagination handling
• Does not always return full user properties directly

Pro Tips for Using Get-MgGroupMember

• Use -All when working with large groups
• Export results to CSV for audits and reporting
• Combine with Get-MgGroup for tenant-wide analysis
• Use Select-Object to retrieve only required properties
• Automate recurring membership reviews

Example: End-to-End Group Membership Reporting Workflow

A practical reporting workflow could look like:

1. Retrieve all groups using Get-MgGroup
2. Loop through each group
3. Retrieve members using Get-MgGroupMember
4. Export membership data to CSV
5. Analyze data using Excel or Power BI

Best Practices for Get-MgGroupMember

• Limit Scope: Use filters or specific parameters to retrieve only the data you need, avoiding excessive data pulls.
• Combine with Other Cmdlets: Combine Get-MgGroupMember with cmdlets like Get-MgUser or Remove-MgGroupMember to create workflows for automation.
• Simulate Actions: Use the -WhatIf parameter to preview commands and avoid unintended changes.
• Secure Access: Always disconnect from Microsoft Graph after completing tasks to maintain security.

$members = Get-MgGroupMember -GroupId $groupId -All
$usersOnly = $members | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.user' }

Frequently Asked Questions

• What is Get-MgGroupMember used for?
  Get-MgGroupMember is used to retrieve members of Microsoft 365 groups and security groups using Graph PowerShell.
• Can I retrieve all members of a group?
  Yes. Using the -All parameter, you can retrieve all members, including large groups.
• What permissions are required?
  Permissions such as Group.Read.All or GroupMember.Read.All are commonly required.
• Can I retrieve members from all groups at once?
  Not directly. Typically, administrators use Get-MgGroup to retrieve groups and then loop through them with Get-MgGroupMember.
• Does Get-MgGroupMember work for Teams?
  Yes. Since Microsoft Teams are backed by Microsoft 365 Groups, the cmdlet can retrieve Team members indirectly.

Conclusion

The Get-MgGroupMember cmdlet is a versatile tool for Microsoft 365 administrators, offering an efficient way to query group memberships. By combining it with other Graph PowerShell cmdlets, admins can unlock advanced capabilities, from fetching detailed user information to automating membership management.

Whether you’re managing a small team or overseeing an enterprise environment, mastering Get-MgGroupMember will save time, reduce errors, and enhance productivity.