Using Get-MgUserMemberGroup in Graph PowerShell
This guide explains how to use the Get-MgUserMemberGroup cmdlet in Microsoft Graph PowerShell to retrieve the groups a user is a member of with practical examples.
The Get-MgUserMemberGroup cmdlet is part of the Microsoft Graph PowerShell module. It is used to retrieve the list of group IDs for groups of which the specified user is a direct member. This cmdlet is crucial for administrators who need to audit group memberships for users in their Microsoft 365 environment.
Prerequisites
-
Microsoft Graph PowerShell Module: Ensure you have the Microsoft Graph PowerShell module installed. You can install it using the following command:
Install-Module Microsoft.Graph -Scope CurrentUser - Permissions: You need the appropriate permissions to execute the Get-MgUserMemberGroup cmdlet. The required Graph API permission is: Group.Read.All
Cmdlet Syntax
Get-MgUserMemberGroup -UserId <String> -BodyParameter <IDirectoryObjectGetMemberGroupsParameter> [<CommonParameters>]Parameters:
-UserId:Specifies the unique identifier of the user.-BodyParameter:Specifies a hash table with the parameter(s) for the request. It can be used to filter groups being retrieved based on the group type.<CommonParameters>:Supports common parameters like -Verbose -Debug -ErrorAction etc.
Usage Examples
Example 1: Retrieve Group IDs for a User
$userId = "user@example.com"
$params = @{
SecurityEnabledOnly = $false
}
Get-MgUserMemberGroup -UserId $userId -BodyParameter $paramsThis command retrieves the IDs of all groups (excluding security enabled groups) for which the specified user is a member.
Example 2: Retrieve Security-Enabled Group IDs for a User
$userId = "user@example.com"
$params = @{
SecurityEnabledOnly = $true
}
Get-MgUserMemberGroup -UserId $userId -BodyParameter $paramsThis command retrieves only the IDs of security-enabled groups for the specified user.
Example 3: Retrieve Detailed Group Information for a User
To get detailed information about the groups you can use the Get-MgGroup cmdlet in conjunction with Get-MgUserMemberGroup.
$userId = "user@example.com"
$params = @{
SecurityEnabledOnly = $false
}
$groupIds = Get-MgUserMemberGroup -UserId $userId -BodyParameter $params
foreach ($groupId in $groupIds) {
Get-MgGroup -GroupId $groupId
}This script retrieves the detailed information of each group for which the user is a member.
Cmdlet Tips
- Efficiency: When dealing with a large number of groups, use filters within the -BodyParameter to limit the results.
- Automation: Combine this cmdlet with other Microsoft Graph cmdlets to automate group membership audits and reporting.
- Verbose Output: Use the -Verbose parameter to get more detailed output for debugging and understanding the cmdlet's operations.
Possible Errors & Solutions
| Error | Solution |
| Error: "Resource not found" | Ensure the -UserId parameter is correct and corresponds to a valid user in your Microsoft 365 tenant. |
| Error: "Insufficient privileges" | Make sure your account has the necessary permissions to retrieve group memberships. You might need the Group.Read.All or Directory.Read.All permissions. |
| Cannot bind parameter 'UserId | Verify that the -UserId parameter is not null or empty and is in the correct format (e.g., user@example.com or user ID). |
Frequently Asked Questions
- What is Get-MgUserMemberGroup used for?
Get-MgUserMemberGroup is a Microsoft Graph PowerShell cmdlet used to retrieve the group memberships of a user, including security and distribution groups. - How can I export a user’s group memberships to a CSV file?
Use this script to export group memberships:$Groups = Get-MgUserMemberGroup -UserId "<UserPrincipalName>" -SecurityEnabledOnly $false $Groups | Export-Csv -Path "C:\Path\To\UserGroups.csv" -NoTypeInformation - What permissions are required to retrieve group memberships?
You need the Group.Read.All or Directory.Read.All permission in Microsoft Graph PowerShell. Ensure these permissions are granted in Azure AD.
Get-MgUserMemberGroup Outputs a List of Group IDsThis cmdlet returns only the unique identifiers (GUIDs) of the groups a user is a member of.
To retrieve names, types, or other details, you’ll need to pass these IDs to
Get-MgGroup in a loop or batch query.
-SecurityEnabledOnly $trueBy default, the cmdlet includes all group types (Microsoft 365, distribution, and security).
Use
-SecurityEnabledOnly $true to return only security groups the user belongs to.
Conclusion
The Get-MgUserMemberGroup cmdlet is a powerful tool for administrators to manage and audit group memberships in Microsoft 365. By leveraging this cmdlet along with other Microsoft Graph cmdlets like Get-MgGroup and Get-MgUser, you can create detailed reports and automate various administrative tasks efficiently. Understanding its syntax, parameters, and common errors will enhance your ability to maintain a secure and well-organized Microsoft 365 environment.
For further details, refer to the official Microsoft documentation: Get-MgUserMemberGroup cmdlet.
Related Articles:
Using Get-MgDirectoryRole in Graph PowerShellUsing Get-MgUserLicenseDetail in Graph PowerShell
Using Find-GraphMgCommand in Graph PowerShell
Connect to Microsoft 365 Using PowerShell
How to Create Bulk Users in Office 365 Using Graph PowerShell?
Create Microsoft 365 Group Using Microsoft Graph PowerShell
Block Microsoft 365 User Using Microsoft Graph PowerShell
Assign Microsoft 365 License Using Graph PowerShell
Microsoft 365 User Management Using Graph PowerShell
Checking Group Membership in Microsoft 365
Bulk Assign Microsoft 365 License
Find Inactive Users in Microsoft 365
Using Powershell Graph Search Query
Using Powershell Graph Filter Query
Using Where-Object In Graph PowerShell
Using Expand Property In Graph PowerShell
Using Select Object In Graph PowerShell
Using -Contains Operator In Graph PowerShell
Add User to Multiple Microsoft 365 Groups Using Graph PowerShell
Get Microsoft 365 User Location Using Graph PowerShell
Import Microsoft 365 Groups from CSV File Using Graph PowerShell
Microsoft 365 Group User Import Using Graph PowerShell