PowerShell

Fetch Distribution Group Members Using Microsoft Graph PowerShell

Microsoft 365 administrators often need to retrieve the list of members from distribution groups to manage users effectively. While the Microsoft Admin Center provides a graphical way to view group memberships, PowerShell provides a more efficient and automated approach. In this article, we will explore how to fetch members of a distribution group using Microsoft Graph PowerShell.

Script to Fetch Distribution Group Members

Below is the PowerShell script that retrieves and displays the Group Name, Group Email, Member Name, Department, and Job Title of each member in a distribution group.

# Install & Import Graph Module (if not already installed)
# Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph
                                
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Group.Read.All", "User.Read.All"
                                
# Prompt for Distribution Group Email
$GroupEmail = Read-Host "Enter Distribution Group Email"
                                
# Get Group Details
$Group = Get-MgGroup -Filter "mail eq '$GroupEmail'" -Property Id, DisplayName, Mail
                                
if ($Group -eq $null) {
    Write-Host "Error: No group found with email '$GroupEmail'" -ForegroundColor Red
    exit
}
                                
# Fetch Group Members (Only returns IDs, so we need to query user details separately)
$Members = Get-MgGroupMember -GroupId $Group.Id -All
                                
if ($Members.Count -eq 0) {
    Write-Host "No members found in the group '$($Group.DisplayName)'" -ForegroundColor Yellow
} else {
    # Retrieve user details for each member
    $MemberDetails = @()
                                    
    foreach ($Member in $Members) {
        $User = Get-MgUser -UserId $Member.Id -Property DisplayName, Department, JobTitle
        $MemberDetails += [PSCustomObject]@{
        "Group Name"  = $Group.DisplayName
        "Group Email" = $Group.Mail
        "Member Name" = $User.DisplayName
        "Department"  = $User.Department
        "Job Title"   = $User.JobTitle
    }
}
                                
# Display Results in Table Format
$MemberDetails | Format-Table -AutoSize
}
                                
# Disconnect from Graph
Disconnect-MgGraph

How the Script Works

Connects to Microsoft Graph

The script starts by connecting to Microsoft Graph using the required permissions (Group.Read.All and User.Read.All).

Prompts for Group Email

The user is asked to enter the email address of the distribution group they want to query.

Fetches Group Details

The script uses Get-MgGroup to fetch the group's ID, Display Name, and Email.

Retrieves Group Members

The script calls Get-MgGroupMember to retrieve the members' IDs.

Fetches Member Details

Since Get-MgGroupMember does not return user attributes like Department and JobTitle, the script iterates through each member ID and queries Get-MgUser to fetch the missing details.

Displays the Results in a Table

The script formats and displays the details in a structured table.

Disconnects from Microsoft Graph

Finally, it disconnects from Microsoft Graph to free up the session.

Further Enhancements

Here are some possible improvements that can be made to the script:

Export to CSV: Modify the script to export the retrieved details to a CSV file for further analysis.
Bulk Query Multiple Groups: Allow the script to fetch members from multiple distribution groups by taking input from a CSV file.
Include More User Details: Extend the script to fetch other attributes such as Manager, Office Location, or Phone Number.
Enhance Error Handling: Implement better error handling for scenarios where API calls fail due to permission issues or network errors.

Frequently Asked Questions

How can I differentiate a distribution group from a Microsoft 365 group using Graph PowerShell?

You can identify distribution groups by checking the GroupTypes property. Distribution groups have an empty GroupTypes value, whereas Microsoft 365 groups have GroupTypes set to "Unified".

Does Get-MgGroupMember return members from nested groups?

No, by default Get-MgGroupMember only retrieves top-level members. To list all users from nested groups, you need to run recursive queries for each child group ID.

Can I export distribution group members to a CSV file?

Yes. After retrieving members using Get-MgGroupMember, you can pipe the output to Export-Csv, for example:

Get-MgGroupMember -GroupId <GroupId> -All | Select-Object DisplayName, Mail | Export-Csv "DGMembers.csv" -NoTypeInformation

How do I identify external members within a distribution group?

You can check the UserType property after fetching member details with Get-MgUser. Users with UserType set to "Guest" are external members.

Use Cases

Group Membership Audits: IT admins can use this script to audit distribution groups and verify if the right members are assigned.
User Management: Helps in troubleshooting and verifying user roles and assignments within distribution groups.
Automated Reporting: The script can be scheduled to generate periodic reports on group memberships.
Security & Compliance: Ensures that unauthorized users are not part of sensitive groups.

Possible Errors & Solutions

Error	Cause	Solution
Error: No group found with email	The entered email does not match any distribution group.	Verify the email address and try again.
No members found in the group	The group is empty or the members are not retrievable.	Ensure the group has members. Check if the members are external contacts.
Get-MgUser: User Not Found	The script tries to fetch details for a non-user object (e.g., a service principal).	Modify the script to filter only User objects from the group members.
Access Denied	The connected account lacks permissions.	Ensure the Graph API permissions Group.Read.All and User.Read.All are granted and admin consented.

Distribution Group Member Count Can Reveal Small-Group Risks

When you run Get-MgGroupMember -GroupId <Id> -All on a distribution group (where GroupTypes is empty), you can quickly analyze membership size. Smaller groups often pose a risk of over-privileged users—ideal for periodic audit checks.

Hidden Members in Nested Distribution Groups

When distribution groups contain other groups as members, Get-MgGroupMember returns only the top-level entries. To resolve nested memberships, you’ll need to recursively call the cmdlet for each child group. This ensures you capture all individual users who indirectly belong to the parent distribution list.

Conclusion

This PowerShell script offers an efficient way to fetch and display members of a Microsoft 365 distribution group, including critical details like Member Name, Department, and Job Title. By leveraging Microsoft Graph API, administrators can automate user audits and gain better visibility into group memberships. Further enhancements such as exporting to CSV or bulk processing multiple groups can make this script even more powerful.