M365Corner
M365 PowerShell

Track M365 Users Not in Any Group Using Graph PowerShell

Managing user memberships in an organization can be a complex task especially when dealing with a large number of users and groups. One crucial aspect of this management is identifying users who are not part of any group. These users might miss out on important communications resources or permissions. In this article we will walk you through a PowerShell script that leverages Microsoft Graph to track M365 users who are not in any group and lists their DisplayName UserPrincipalName along with the count of such users.


Script to Track M365 Users Not in Any Group

Here's a PowerShell script to identify users not in any group:

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.Read.All" "Group.Read.All"

# Get all users
$allUsers = Get-MgUser -All -Property Id, DisplayName, UserPrincipalName

# Initialize an array to hold users not in any group
$usersNotInGroups = @()

# Loop through each user
foreach ($user in $allUsers) {
    # Check if user is a member of any group
    $groups = Get-MgUserMemberOf -UserId $user.Id -All
    if ($groups.Count -eq 0) {
        # Add user to the array if not in any group
        $usersNotInGroups += [PSCustomObject]@{
            DisplayName       = $user.DisplayName
            UserPrincipalName = $user.UserPrincipalName
        }
    }
}

# Display the users not in any group
$usersNotInGroups

# Display the count of users not in any group
$usersNotInGroups.Count

Script Output


Script Explanation

Connect to Microsoft Graph

Connect-MgGraph -Scopes "User.Read.All" "Group.Read.All"

This command authenticates to Microsoft Graph with the necessary scopes to read user and group data.

Get all users

$allUsers = Get-MgUser -All -Property Id, DisplayName, UserPrincipalName

This retrieves all users with their Id, DisplayName, and UserPrincipalName.

Initialize an array

$usersNotInGroups = @()

This initializes an empty array to store users not in any group.

Loop through each user

foreach ($user in $allUsers) {
    # Check if user is a member of any group
    $groups = Get-MgUserMemberOf -UserId $user.Id -All
    if ($groups.Count -eq 0) {
        # Add user to the array if not in any group
        $usersNotInGroups += [PSCustomObject]@{
            DisplayName       = $user.DisplayName
            UserPrincipalName = $user.UserPrincipalName
        }
    }
}

This loop checks if each user is a member of any group. If not, the user is added to the array.

Display results

$usersNotInGroups
$usersNotInGroups.Count

These commands display the list of users not in any group and the count of such users.


Further Enhancements

Export to CSV

$usersNotInGroups | Export-Csv -Path "UsersNotInGroups.csv" -NoTypeInformation

You can export the results to a CSV file for further analysis or reporting.

Email Notification

$body = $usersNotInGroups | Out-String
Send-MailMessage -To "admin@example.com" -Subject "Users Not in Any Group" -Body $body -SmtpServer "smtp.example.com"

Send an email with the list of users not in any group.


Use-Cases

  • Audit and Compliance: Ensure all users are part of at least one group for compliance reasons.
  • Resource Allocation: Identify users who might be missing out on necessary resources provided through group memberships.
  • Communication: Ensure all users receive important communications sent to groups.

Possible Errors & Solutions

Authentication Issues:

Connect-MgGraph : Authorization_RequestDenied

Solution: Ensure the user account has the User.Read.All and Group.Read.All permissions.

API Rate Limits:

Start-Sleep -Seconds 1

Solution: If you hit API rate limits, consider adding a delay in the loop.

Network Issues:

Solution: Ensure your network connection is stable to avoid connectivity issues.


Conclusion

Tracking M365 users not in any group is a vital task to ensure effective management and resource allocation within your organization. The provided PowerShell script offers a straightforward solution to identify these users helping you maintain compliance and streamline communications. By leveraging Microsoft Graph you can easily extend and customize this script to meet your specific needs.


Related Articles:

Using Get-MgDirectoryRole in Graph PowerShell
Using Get-MgUserLicenseDetail in Graph PowerShell
Using Find-GraphMgCommand in Graph PowerShell
Connect to Microsoft 365 Using PowerShell
How to Create Bulk Users in Office 365 Using Graph PowerShell?
Create Microsoft 365 Group Using Microsoft Graph PowerShell
Block Microsoft 365 User Using Microsoft Graph PowerShell
Assign Microsoft 365 License Using Graph PowerShell
Microsoft 365 User Management Using Graph PowerShell
Checking Group Membership in Microsoft 365
Bulk Assign Microsoft 365 License
Find Inactive Users in Microsoft 365
Using Powershell Graph Search Query
Using Powershell Graph Filter Query
Using Where-Object In Graph PowerShell
Using Expand Property In Graph PowerShell
Using Select Object In Graph PowerShell
Using -Contains Operator In Graph PowerShell
Add User to Multiple Microsoft 365 Groups Using Graph PowerShell
Get Microsoft 365 User Location Using Graph PowerShell
Import Microsoft 365 Groups from CSV File Using Graph PowerShell
Microsoft 365 Group User Import Using Graph PowerShell
Table of Contents

X

Table of Contents

© m365corner.com. All Rights Reserved. Design by HTML Codex