PowerShell

Fetch All Security Groups with Details Using Microsoft Graph PowerShell

Managing security groups in Microsoft 365 is crucial for ensuring proper access control and permissions. This Graph PowerShell script retrieves all security groups and displays key details such as Group Name, Group Mail, Member Count, Group ID, and whether Mail is Enabled.

This article provides a ready-to-use script, explains how it works, and discusses ways to enhance it further.

The Script

Below is the PowerShell script that fetches all security groups and lists the required details:

# Ensure Microsoft Graph module is installed and imported
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph.Groups)) {
    Install-Module Microsoft.Graph -Force -Scope CurrentUser
}
Import-Module Microsoft.Graph
                                
# Connect to Microsoft Graph with required permissions
Connect-MgGraph -Scopes "Group.Read.All"
                                
# Fetch all Security Groups (only those with 'SecurityEnabled' property set to True)
$SecurityGroups = Get-MgGroup -All -Filter "securityEnabled eq true" -Property Id, DisplayName, Mail, MailEnabled

# Initialize an array to store group details
$GroupDetails = @()
                                
foreach ($Group in $SecurityGroups) {
# Fetch the member count for each group
$MemberCount = (Get-MgGroupMember -GroupId $Group.Id -All).Count
                                
# Store details in a hashtable
$GroupDetails += [PSCustomObject]@{
    "Group Name"      = $Group.DisplayName
    "Group Mail"      = $Group.Mail
    "Member Count"    = $MemberCount
    "Group ID"        = $Group.Id
    "Mail Enabled"    = $Group.MailEnabled
}
}
                                
# Display the details in table format
$GroupDetails | Format-Table -AutoSize

How the Script Works

Connect to Microsoft Graph API: The script first connects to Microsoft Graph with Group.Read.All permissions to fetch group details.
Fetches Security Groups: It retrieves all security groups where securityEnabled is set to true.
Retrieves Member Count: The script iterates through each security group, using Get-MgGroupMember to count the number of members.
Displays Results in a Table: The output is formatted neatly using Format-Table -AutoSize.

Further Enhancing the Script

While this script provides essential security group details, it can be enhanced further:

Exporting Data to CSV: Add the following line at the end of the script to export the results to a CSV file:

$GroupDetails | Export-Csv -Path "C:\SecurityGroups.csv" -NoTypeInformation

Filtering Groups Based on Naming Conventions: To retrieve only groups with specific keywords (e.g., "Admin"), modify the filter:

$FilteredGroups = $SecurityGroups | Where-Object { $_.DisplayName -like "*Admin*" }

Including Additional Group Properties: Retrieve more details such as group owners and creation date by adding properties to the Get-MgGroup cmdlet:

-Property Id, DisplayName, Mail, MailEnabled, CreatedDateTime, Owners

Frequently Asked Questions

How do I differentiate between Microsoft 365 Mail-Enabled Security Groups and Mail-Disabled Security Groups in Graph PowerShell?

Microsoft 365 Mail-Disabled Security Groups have mailEnabled set to false and securityEnabled set to true. Microsoft 365 Mail-Enabled Security Groups have mailEnabled set to true and securityEnabled set to true. Use filters like:-Filter "securityEnabled eq true and mailEnabled eq false"

Can I retrieve only mail-enabled security groups using Graph PowerShell? Yes. You can use the filter:

-Filter "mailEnabled eq true and securityEnabled eq true"

This retrieves groups that are mail-enabled and can function in hybrid or legacy Exchange environments.

Why am I getting limited results even when I know more groups exist?

By default, Get-MgGroup returns paged results. To fetch all groups, use the -All switch:

Get-MgGroup -All

Can I filter by group name or display name?

Yes, use the startswith function with the displayName field:

-Filter "startswith(displayName, 'Finance')"

Possible Errors & Solutions

Error	Cause	Solution
'Access Denied' When Running the Script	The user does not have the necessary permissions.	Ensure you are assigned the Group.Read.All permission and connect with: Connect-MgGraph -Scopes "Group.Read.All"
'Cannot Find Get-MgGroup'	Microsoft Graph PowerShell module is missing.	Install the module using: Install-Module Microsoft.Graph -Force -Scope CurrentUser
'Member Count Shows as 0'	Some security groups may not have any members.	Verify in the Microsoft 365 Admin Center if the group contains members.

✅ Filter Only Mail-Disabled Security Groups
To retrieve only mail-disabled security groups, apply a filter with:
-Filter "securityEnabled eq true and mailEnabled eq false"
This excludes Microsoft 365 groups and mail-enabled security groups, returning only true security groups—ideal for role-based access control (RBAC) audits.

✅ Include Group Membership for Deeper Insights
You can enrich your results by expanding the members property:
Get-MgGroup -Filter "securityEnabled eq true" -ExpandProperty Members
This lets you instantly see group composition without running separate queries for member enumeration—handy for access reviews and cleanup operations.

Conclusion

This PowerShell script provides an efficient way to retrieve and analyze security groups within Microsoft 365 using Microsoft Graph API. By listing Group Name, Group Mail, Member Count, Group ID, and Mail Enabled status, administrators can effectively manage access controls.

Enhancements like exporting to CSV, filtering groups, and retrieving additional properties can further extend the script’s functionality.

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.

Permission Required

Example: