Fetch Disabled Users in a Microsoft 365 Group Using Graph PowerShell

Microsoft 365 administrators often need to identify disabled users within a specific group for security audits, user access reviews, or cleanup activities. While the Microsoft Admin Center provides a way to check user statuses, a Graph PowerShell script allows for automation and bulk retrieval of user details efficiently. In this article, we will explore a script that fetches disabled users from a Microsoft 365 group and displays their details, including Group Name, Member Name, Department, and Job Title.

Script to Fetch Disabled Users in a Group

Below is the PowerShell script that retrieves and displays all disabled users within a group.

# Install & Import Graph Module (if not already installed)
# Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph
                                
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Group.Read.All", "User.Read.All"
                                
# Prompt for Group Name or ID
$GroupNameOrId = Read-Host "Enter Group Name or Object ID"
                                
# Get Group Details (fetch by name if an ID is not provided)
$Group = Get-MgGroup -Filter "displayName eq '$GroupNameOrId'" -Property Id, DisplayName
                                
if ($Group -eq $null) {
    Write-Host "Error: No group found with name or ID '$GroupNameOrId'" -ForegroundColor Red
    exit
}
                                
# Fetch Group Members (Only retrieves IDs, so we need to query user details separately)
$Members = Get-MgGroupMember -GroupId $Group.Id -All
                                
if ($Members.Count -eq 0) {
    Write-Host "No members found in the group '$($Group.DisplayName)'" -ForegroundColor Yellow
} else {
    # Retrieve details of disabled users
    $DisabledUsers = @()
                                        
    foreach ($Member in $Members) {
        # Fetch full user details
        $User = Get-MgUser -UserId $Member.Id -Property DisplayName, Department, JobTitle, AccountEnabled
                                        
        # Check if the account is disabled
        if ($User.AccountEnabled -eq $false) {
        $DisabledUsers += [PSCustomObject]@{
            "Group Name"  = $Group.DisplayName
            "Member Name" = $User.DisplayName
            "Department"  = $User.Department
            "Job Title"   = $User.JobTitle
        }
      }
    }
                                    
    # Display Results in Table Format
    if ($DisabledUsers.Count -eq 0) {
        Write-Host "No disabled users found in the group '$($Group.DisplayName)'" -ForegroundColor Yellow
    } else {
        $DisabledUsers | Format-Table -AutoSize
    }
}
                                    
# Disconnect from Graph
Disconnect-MgGraph
                                

How the Script Works

1. Connects to Microsoft Graph
• The script starts by connecting to Microsoft Graph with Group.Read.All and User.Read.All permissions.
2. Prompts for Group Name or Object ID
• The user enters the display name or object ID of the Microsoft 365 group.
3. Retrieves Group Details
• Uses Get-MgGroup to fetch the group's ID and display name.
4. Fetches Group Members
• Calls Get-MgGroupMember to retrieve members but only receives their IDs.
5. Queries Each Member’s User Details
• The script loops through each member ID and uses Get-MgUser to fetch:
• DisplayName
• Department
• JobTitle
• AccountEnabled (to check if the user is disabled)
6. Filters Disabled Users
• The script filters out users where AccountEnabled is false.
7. Displays the Output in a Table Format
• If disabled users exist, they are displayed in a structured table format.
8. Disconnects from Microsoft Graph
• The script ensures that the session is closed once execution is complete.

Further Enhancements

Here are some improvements that can be made to the script:

• Export to CSV: Modify the script to save the results to a CSV file for record-keeping.

$DisabledUsers | Export-Csv -Path "DisabledUsers.csv" -NoTypeInformation

• Filter Only User Objects: Some groups contain service principals or devices. Modify the script to filter only user objects.

$UsersOnly = $Members | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.user' }

• Batch Query Multiple Groups: Allow the script to process multiple groups from a CSV file.
• Email Notifications: Send an automated email notification with the list of disabled users.
• Schedule the Script: Automate the script to run periodically using Task Scheduler.

Use Cases

• Security Audits: Helps IT teams identify disabled users in security-sensitive groups.
• Compliance Checks: Ensures that disabled users do not remain in active groups.
• User Access Review: Aids in periodic access reviews and role-based access control (RBAC) compliance.
• Account Cleanup: Automates the process of checking disabled accounts to keep Microsoft 365 clean and up-to-date.

Possible Errors & Solutions

Error	Cause	Solution
Error: No group found with name or ID	The entered group name is incorrect or does not exist.	Verify the group name or use the Object ID instead.
No members found in the group	The group exists but has no members.	Ensure the group has members and verify its type.
Get-MgUser: User Not Found	The script tries to fetch details for a non-user object (e.g., a service principal).	Modify the script to filter only User objects from the group members.
Access Denied	The connected account lacks the necessary permissions.	Ensure that Group.Read.All and User.Read.All permissions are granted and admin consented.

Conclusion

This PowerShell script provides an efficient and automated way to retrieve disabled users from a Microsoft 365 group, ensuring administrators can maintain security and compliance. By leveraging Microsoft Graph API, the script helps IT teams streamline access reviews, audits, and user management processes. With additional enhancements like CSV exports and automated scheduling, this script can become a powerful tool in your IT administration toolkit.