🔧 New: User Management Graph PowerShell Toolkit
Simplify user tasks like bulk creation, updates, password resets, deletions, license checks & more — all from one place.
🚀 Launch ToolkitFind Empty Distribution Groups in Microsoft 365 using Graph PowerShell
Cleaning up unused distribution groups in Microsoft 365 is a great way to improve directory hygiene, reduce clutter, and strengthen security. This Graph PowerShell script helps you identify empty distribution groups (i.e., mail-enabled groups with zero members) by leveraging the Microsoft Graph PowerShell.
Script – Find Empty Distribution Groups
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Group.Read.All"
# Step 1: Get all mail-enabled groups
$allGroups = Get-MgGroup -All -Property Id, DisplayName, Mail, MailEnabled, SecurityEnabled, GroupTypes, CreatedDateTime
# Step 2: Filter only Distribution Groups (mailEnabled = true, securityEnabled = false, no 'Unified' in groupTypes)
$distributionGroups = $allGroups | Where-Object {
$_.MailEnabled -eq $true -and
$_.SecurityEnabled -eq $false -and
($_.GroupTypes -notcontains "Unified")
}
# Step 3: Find empty distribution groups
Write-Host "`nChecking each Distribution Group for members..." -ForegroundColor Cyan
$emptyGroups = foreach ($group in $distributionGroups) {
$members = Get-MgGroupMember -GroupId $group.Id -ErrorAction SilentlyContinue
if (-not $members) {
[PSCustomObject]@{
DisplayName = $group.DisplayName
Mail = $group.Mail
GroupId = $group.Id
CreatedDate = $group.CreatedDateTime
}
}
}
# Step 4: Output results
if ($emptyGroups) {
Write-Host "`nEmpty Distribution Groups found:`n" -ForegroundColor Green
$emptyGroups | Format-Table DisplayName, Mail, GroupId, CreatedDate
} else {
Write-Host "`nNo empty distribution groups found." -ForegroundColor Yellow
}
How the Script Works
- Connect to Graph: It starts by establishing a connection to Microsoft Graph using Connect-MgGraph with Group.Read.All permissions.
- Fetch All Mail-Enabled Groups: It retrieves all groups and filters out only the distribution groups — those that are:
- Mail-enabled,
- Not security-enabled, and
- Not Microsoft 365 groups (Unified groups).
- Loop Through Groups: Each distribution group is checked for its members using Get-MgGroupMember.
- Identify Empty Groups: If no members are found, that group is added to the result.
- Display Output: Finally, the script prints a table with relevant details: group name, email address, ID, and creation date.
Further Enhancements
You can enhance this script further in several ways:
- Export to CSV:
$emptyGroups | Export-Csv -Path "EmptyDistributionGroups.csv" -NoTypeInformationAdd Description to the properties fetched from Get-MgGroup and display it.
Use Remove-MgGroup to clean up confirmed unused empty distribution groups — with caution!
Possible Errors & Solutions
| Error | Cause | Solution |
|---|---|---|
| Request_UnsupportedQuery | Using unsupported OData filters like groupTypes/any(...) | Avoid Graph filtering for group types; use PowerShell filtering instead |
| Access Denied or Insufficient privileges | Missing permissions | Ensure the connected user has Group.Read.All permission |
| Get-MgGroupMember: NotFound | Group may not exist or accessible | Use -ErrorAction SilentlyContinue to suppress and skip such cases |
| Empty Output | No empty groups or script logic failed | Add Write-Host statements for debugging each stage |
Conclusion
Identifying empty distribution groups is an effective way to clean up unused resources in your Microsoft 365 environment. By combining the power of Microsoft Graph with PowerShell, this script gives you a clear, actionable view of which distribution groups are currently inactive. With a few tweaks, you can even automate cleanup or export the results for review.
🔐 Always test scripts in a safe environment before using in production, and ensure you have the necessary permissions.