As an admin, you might have used a group membership report or distribution group members report to identify groups and their members. But there are few situations in which you want to list users and their groups. If you are one of them, then this blog is for you! 

Why Administrator Need to Know Groups a User is Member Of? 

1. It is essential to know whether the employees are only in the right groups and getting all group information they are associated with.  
2. Adding, removing, and managing the users to the groups are the critical tasks of the administrators. Having the “user member of” report along with “user owner of” report readily, the admin can provide approval, reject, or limited access to the requestor.  
3. Based on the user direct membership report, admins maintain the security of the groups among different departments.  
4. With this report, the admin can retain all groups a disabled user is a member of. This will help the admin in granting or removing the group access efficiently. 

How to View the List of Groups a User is Member Of? 

Viewing in User Profile: By clicking the user’s profile in the Microsoft 365 admin center, under the ‘Groups‘, you can see the list of group names the user is associated with. Same way, in the AzureAD portal, on clicking the ‘Groups’ under ‘Users’, you can see the user membership details. Using the user profile will not be suitable while we need to process huge users. 

Using PowerShell: Get-AzureADUserMembership will return the list of groups the user is a member of. But the Azure AD PowerShell module is under deprecation, you need to switch from Azure AD PowerShell module to MS Graph PowerShell cmdlets. However, to get a nicely formatted report, administrators need to use multiple cmdlets. It will be time and effort-consuming to get a detailed report with numerous filtering options.  

So, we designed the PowerShell script to support the administrators in saving time, effort and deliver a reliable user membership report.  

Script Highlights:

1. Generates 12 different user membership reports.
2. The script uses MS Graph PowerShell and installs MS Graph PowerShell SDK (if not installed already) upon your confirmation. 
3. It can be executed with certificate-based authentication (CBA) too.
4. Supports both MFA and Non-MFA accounts.  
5. Allow to use filter to get guest users and their membership alone. 
6. Allow to use filter to get disabled users’ membership. 
7. Helps to identify users who are not member of any groups. 
8. Exports report result to CSV.
9. The script is scheduler-friendly. 

Download Script: UserMembershipReport.ps1

Sample Output: 

The exported user membership report looks similar to the below screenshot.

The exported report has the attributes like, Display Name, Email Address, Group Name(s), License Status, Account Status, Department, and Roles. 

Note: The report doesn’t include dynamic distribution group members details, as it requires different modules and cmdlets. 

Export AzureAD Users’ Membership Report – Script Execution

The script gives the aggregated report of the users’ membership details to the admins. At the end of the execution, you will be notified with the retrieved user count for the specified condition. You can choose any one of the below methods based on your requirement.

Find All the Office 365 Groups a User is a Member Of 

This script’s standard format will get the list of groups an Office 365 user is a member of and export them to the CSV file.  

.\UserMembershipReport.ps1

The above format is used for the both non-MFA and MFA-enabled accounts.  

Get Group Membership for a List of Users (Input through CSV) 

Based on the organizations’ nature, the employees are shifted to various departments. Technically, these employees’ department-specific groups access should be activated or terminated as soon as they join or leave the department. So, the privacy of the group data is guaranteed. With the list of employees falling under this category, the admin will identify whether the assigned groups to the user is valid or not and proceed with adding or removing them from the group.  

.\UserMembershipReport.ps1 -UsersIdentityFile {filepath}

The administrator can provide the UserPrincipalName or User ObjectId as the input (reference below). 

Sample Input: 

Note: As crucial as finding the user’s membership, auditing group membership also holds equal importance.

Find Guest User Account and their Membership Details 

The admins invite guest users to start the collaboration with the organization. Using the report, the admin works on identifying the guest users’ group details and includes them to specific groups that promote organization growth. Also, with reference to this report, administrators can remove guest account from specific group(s).  

.\UserMembershipReport.ps1 -GuestUsersOnly

The GuestUsersOnly param helps to get guest user and their group membership details. 

Additionally, you can visit the Guest User Report blog to get more detailed guest user report.

Get the Disabled Users’ Membership Report 

Most organizations maintain the former employee’s data in the name of disabled users. Their data are retained for future references. Having this report readily, the administrators can remove group membership of disabled accounts.  

.\UserMembershipReport.ps1 -DisabledUsersOnly

By adding the ‘DisabledUserOnly’ param, the admin can get the group membership of disabled user accounts.

Retrieve Office 365 Users Who are not a Member of Any Group 

In the organization, there will be newly joined employees. So, they will not be added to any groups. Using our report, the administrators will identify them and add them to the necessary groups. Also, there will be restricted users like internship students, contract employees, blocked or unauthorized users, and non-staffs. They will not be included in any groups related to the organizations as their access scope is minimal. Using our report, administrators make sure they are not into any organizational groups.  

.\UserMembershipReport.ps1 -UsersNotinAnyGroup

Running script with ‘UsersNotinAnyGroup’ switch, you will get users with no group membership. 

Execute the Script with Certificate (Scheduler-friendly):

To run the script unattended, you may consider using certificates for authentication. Depending on your needs, you can either create a self-signed certificate, which is more budget-friendly, or utilize a Certificate Authority (CA) certificate.

To execute the script with Certificate-based Authentication (CBA), you can include the TenantId, ClientId, and CertificateThumbprint parameters in the specified format.

.\UserMembershipReport.ps1 -TenantId <TenantId> -ClientId <ClientId> -CertificateThumbprint <Certthumbprint>

Get Office 365 Groups a User is Member of Report – More Use Cases 

We provide you with the options to try the different criteria combinations when looking for satisfactory and direct reports.  

To get the list of group membership details for the disabled guest users:  

.\UserMembershipReport.ps1 -GuestUsersOnly -DisabledUsersOnly

To get the disabled guest users who are not a member of any group:  

.\UserMembershipReport.ps1 -UsersNotinAnyGroup -DisabledUsersOnly -GuestUsersOnly

To retrieve the group membership for the guest users available in the input file  

.\UserMembershipReport.ps1 -UsersIdentityFile {filepath} -GuestUsersOnly

To retrieve the group membership for the disabled users available in the input file 

.\UserMembershipReport.ps1 -UsersIdentityFile {filepath} -DisabledUsersOnly

To list the group details for the disabled guest users from the specified users:  

.\UserMembershipReport.ps1 -UsersIdentityFile {filepath} -GuestUsersOnly –DisabledUsersOnly

To filter out disabled guest users who are not member of any group from the list of users (or) try as you wish 

.\UserMembershipReport.ps1 -UsersIdentityFile {filepath} -UsersNotinAnyGroup -GuestUsersOnly -DisabledUsersOnly

Get More Detailed User Membership Report:

If you are tired of manually executing the PowerShell script and looking for the easiest way to generate Microsoft 365 user reports, then take a look at Microsoft 365 reporting tool by AdminDroid.

AdminDroid provides the following users’ group membership report,

• User membership report – Shows all the Office 365 groups a user is member of.
• Contact membership report – Lists all the groups the contact is member of.
• External users’ group membership report – Shows external users and their groups.
• Admin role group report – Lists all the administrators along with their role group.

Besides, AdminDroid Offers over 120+ reports and a handful of dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, and more. You can do customization, scheduling, and exporting. This can help you to stay on top of critical Azure AD management tasks, such as monitoring user activity, tracking license usage, and managing group memberships.

Additionally, AdminDroid provides 1800+ pre-built reports and 30+ visually appealing smart dashboards on various Office 365 services like Azure AD, Exchange Online, SharePoint Online, Microsoft Teams, OneDrive for Business, Skype for Business, Yammer, General Office 365 reports, and security reports.

Download Free Office 365 reporting tool by AdminDroid to manage your Azure AD environment effectively.

Conclusion:

The administrators are often requested to perform user membership changes by adding or removing users from the groups. Proper maintenances of the user membership will give the benefits of the following key purpose.

• Sharing group information with the right users,
• secure data from the random audience,
• Keep restricted users away from the group

We hope our blog will help the admins to meet their needs effectively and smartly.  

The post Export Office 365 Groups a User is Member Of Using PowerShell appeared first on Office 365 Reports.

How to Get Distribution Group Members?

Finding out who is members of which Distribution Group is always a tedious task. You can view Distribution Group members through Microsoft 365 Admin Center, but it is per user base. So, you need to click each group to view its membership which is time-consuming. Fear not! Your friend, PowerShell is here for the rescue. You can use PowerShell commands to export distribution list members to csv.

If your distribution group has dynamic members (users automatically assigned to a group based on some predefined conditions), you need to use different cmdlets to get dynamic distribution group members.

Export Office 365 Distribution List Members to CSV using PowerShell

We have written a PowerShell script to export Distribution List members to CSV along with most required attributes like Group DisplayName, Group Primary SMTP Address, Group Alias, Group Type, Group Owner (Managed By), Members Count, Members, Member Email, Member’s Type, and Users allowed to send email to the Distribution Group.

Exchange Online PowerShell cmdlet Get-DistributionGroup used to list all distribution group available in the tenant and Get-DistributionGroupMember used to list group members. Export-CSV cmdlet used to export the report to CSV file. A group can have many members and exporting them in a single line is not an aesthetic one.

To understand your Distribution Group membership better, our script will provide two output files.

• Distribution Group Summary Report
• Detailed Distribution Group Membership Report

Download Script: GetDistributionGroupMembers

Script Highlights:

• The script uses modern authentication to connect to Exchange Online.   
• Allows you to filter the report result based on group size(i.e., Members count).
• The script can be executed with MFA enabled account too.
• You can choose to either “Export Members of all Distribution Lists” or pass an input file to “Export Members of Specific Distribution List”.
• You can filter the output based on whether the group accepts message from external senders or not.
• Exports the list of allowed senders to a Distribution List.
• Output can be filtered to list Empty group. i.e., Distribution Group without members
• Exports the report result to CSV.
• You can get members count based on Member Type such as User mailbox, Group mailbox, Shared mailbox, Contact, etc.
• Automatically installs the EXO V2 (if not installed already) upon your confirmation.  
• The script is scheduler friendly. i.e., credentials can be passed as parameter instead of saving inside the script.
• Above all, script exports output in nicely formatted 2 CSV files. One with detailed information and another with summary information.

Office 365 Distribution Group Summary Report:

Distribution Group summary report has following attributes.

• Group Display Name,
• Primary SMTP Address,
• Group Alias,
• Group Type,
• Group Owner (Managed By),
• Group Members Count,
• Members Count by Recipient Type,
• Allows External users
• Allowed Senders (I.e., Authorized Senders to a Distribution Group)
• Hidden From Exchange Address List (Optional)
• Description (Optional)
• Creation Time (Optional)
• DirSynEnabled (Optional)
• Member Join Restriction (Optional)
• Member Depart Restriction (Optional)

Detailed Office 365 Distribution Group Membership Report:

Detailed Office 365 Distribution Group membership report has following attributes:

• Group Display Name,
• Primary SMTP Address,
• Group Alias,
• Group Members Count,
• Group Members,
• Member Primary SMTP Address
• Member Recipient Type

Export Distribution List Members to CSV: 

To export all Office 365 Distribution Lists and members report, execute the script as follows

./GetDistributionGroupMembers.ps1

The above format will work for both MFA and non-MFA accounts.

Unlock the Full Potential of this Script

This script has many built-in parameters to filter/customize the report based on your requirement. We have listed some of the primary uses cases below.

• Gets members for a single/list of Distribution Group.
• Gets members for Distribution Group that has more than ‘N’ members.
• To get empty Distribution Group.
• Exports Distribution Group that allows external users to send message.
• Reports who are authorized to send email to a Distribution List.
• Using multiple parameters, you can get more granular report.
• Script can be executed with MFA enabled account.
• Script can be scheduled by explicitly passing credential.
• You can add additional attributes to export file.

Let’s check the use cases in detail.

Get Members for a Single/List of Distribution Group

You can use –GroupNamesFile param to get members of a Distribution Group from the input list called “DistributionList.txt” and exports all membership into CSV.

To get members of specific Distribution List, pass an input file with a Display Name/ Alias/ Distinguished Name/ Canonical DN/ Email Address or GUID of groups.

./GetDistributionGroupMembers.ps1 -GroupNamesFile C:/DistributionList.txt

The GroupNamesFile must follow the format below:  Group identity separated by new line without header.

Get Distribution Group Members That has more than ‘N’ Members

To filter result based on group members count, you can use –MinGroupMembersCount  param. i.e., You can get groups that have more than the specified number of members.

./GetDistributionGroupMembers.ps1 -MinGroupMembersCount 50

Above script reports all Distribution Lists that has more than 50 members.

Get Empty Distribution Groups

To get an empty Distribution Group (ie, Distribution Group without members), execute the script with -IsEmpty param.

./GetDistributionGroupMembers.ps1 -IsEmpty

Using this filter, you can identify and delete unused Distribution Lists available in your tenant.

Get Distribution List That Allow External User to Send Message

This value is retrieved from “RequireSenderAuthenticationEnabled” attribute. It allows you to restrict who can send emails to an Distribution List.

Using –ExternalSendersBlocked Param, you can filter the result based on the delivery option. I.e., you can get list of Distribution groups that allows/denies external users to send a message to that group.

To list Distribution Groups that allows external users to send message to that group, execute a script with –ExternalSendersBlocked $false

./GetDistributionGroupMembers.ps1 -ExternalSendersBlocked $False

To list Distribution Groups that doesn’t allow external users to send message to that group, execute a script with –ExternalSendersBlocked $true

./GetDistributionGroupMembers.ps1 -ExternalSendersBlocked $True

Get Distribution Group’s Authorized Senders

Getting Office 365 Distribution list’s authorized senders is a bit tricky as authorized senders are retrieved by correlating multiple attributes. You can get allowed senders from Get-DistributionGroup cmdlet, and the attributes are,

1. AcceptMessagesOnlyFromSendersOrMembers – Lists allowed senders

2. RequireSenderAuthenticationEnabled – This restrict senders who can send email to a Distribution group, i.e., whether a Distribution Group allows external senders or allows internal senders alone.

How to get allowed senders?

• If the allowed senders’ list has values, group members will receive messages only from those senders and reject messages from everyone else.
• When allowed senders list is empty, group members will receive messages from everyone based on ‘RequireSenderAuthenticationEnabled.’

To make it simple, our ‘Export Distribution List members’ script exports Distribution Group along with authorized senders.

Get more Granular Report

You can use multiple filters together, to get more granular report. For example, you can get members for a list Distribution Group that has more than 50 members

./GetDistributionGroupMembers.ps1 -GroupNamesFile C:\DistributionList.txt -MinGroupMembersCount 50

Would you like more granularity? We’ve got you with our granular PowerShell script! Precisely identify which groups each user is a member of and track their direct assignments easily.

Schedule  ‘Export Distribution Group Members’ PowerShell Script

You can schedule this script in task scheduler by explicitly mentioning the credential.

<Script Location>\.GetDistributionGroupMembers.ps1 -UserName <UserName> -Password <Password>

To know more about scheduling Powershell script, refer our blog: Schedule PowerShell script using Task Scheduler.

How to Add more Attributes in the Export File?

To add following attributes to Distribution Group members report, uncomment the comment section in the line 110 and 112.

• HiddenFromAddressList (HiddenFromAddressListsEnabled) – Hide group from Global Address List(GAL).
• Description – Short information about group.
• CreationTime (WhenCreated) – Group creation time.
• DirSyncEnabled (IsDirSynced) – Whether the group has directory sync enabled or not.
• JoinGroupWithoutApproval (MemberJoinRestriction) – Shows whether owner approval is required to join a group.
  • Open – Anyone can join group without being approved by the group owner.
  • Close – Members can be added only by the group owner.
• LeaveGroupWithoutRestriction (MemberDepartRestriction) – Shows whether the group is open to leave.
  • Open – Anyone can leave group without being approved by the group owner.
  • Closed – Members can be removed only by the group owner.

Get More Detailed  Group Reports:

To get more detailed group reports based on

• Group types
  • Security group
  • Distribution group
  • Mail-enabled security group
  • Microsoft 365 group
  • Dynamic distribution group
• Group membership
  • Direct members
  • Nested group members
  • Hidden membership
  • External members
• Group creation source
  • Groups created via Teams
  • Groups created via SharePoint Online
  • Groups created via Yammer
• Group member changes
• Groups usage
• Inactive groups based on Last activity date

you can take a look at AdminDroid Microsoft 365 reporting and auditing tool.

Additionally, AdminDroid provides 1500+ pre-built reports and 20 smart visually appealing dashboards to know about your Office 365 environment at a glance. This tool provides reports on Office 365 reporting, auditing, analytics, usage statistics, security & compliance, etc.

Besides, AdminDroid provides over 100+ reports and a handful of dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, and more. The free edition doesn’t have any restrictions in reporting functionalities such as customization, scheduling, and exporting. For your Azure AD reporting and auditing needs, you can download Free Office 365 reporting tool by AdminDroid and see how it helps for you.

If you have any queries regarding script, reach us through the comment section.

The post Export Office 365 Distribution Group Members Using PowerShell appeared first on Office 365 Reports.