PowerShell is your best bet to find out all groups a user is a member of or owner of in Office 365. This article will show you how to use PowerShell to find all Office 365 group memberships for a specified user.
Follow the below steps, in order to find out what Office 365 group memberships a user has:
- Login to Microsoft 365 Admin Center
- Then, under the “Users” tab, you need to search and find the user you are looking for.
- Once you get it, click on the user’s name to open user properties ->-> In the user properties pane, click on “Manage groups” under “Groups”.
- Here you will get all Office 365 groups a user is a member of. It’s either Microsoft 365 groups, Security groups, or Distribution Lists.
Hope you find this useful too: How to Enable Mailbox Auditing in Office 365
PowerShell to Find Users Office 365 Group Memberships
Get-Recipient -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=ABCDE01A001,DC=prod,DC=outlook,DC=com'"where ‘CN=user, OU=tenant.onmicrosoft.com, OU=Microsoft Exchange Hosted Organizations, DC=ABCDE01A001, DC=prod, DC=outlook, DC=com’ is the DistinguishedName of the user, obtainable for example via:
Get-User user@domain.com | select -ExpandProperty DistinguishedNameNow, the Get-Recipient cmdlet in Exchange Online doesn’t return Office 365 Groups objects unless you specifically include them. An updated version of the above cmdlet that accounts for Groups will look like this:
Get-Recipient -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=ABCDE01A001,DC=prod,DC=outlook,DC=com'" -RecipientTypeDetails GroupMailbox,MailUniversalDistributionGroup,MailUniversalSecurityGroupand this will return all Distribution groups, Mail-enabled security groups, and Office 365 groups of the user is a member.
If you want to check membership of Exchange Role Groups as well, use the Get-Group cmdlet:
Get-Group -Filter "Members -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=ABCDE01A001,DC=prod,DC=outlook,DC=com'"Covering the Azure AD cmdlets. Using Get-AzureADUserMembership cmdlet. Here’s an example:
Get-AzureADUserMembership -ObjectId 584b1b38-888c-4b85-8a71-c9766cb4791bIf you want to avoid using ObjectIds, so here’s an example that takes care of that:
Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembershipNow you will get the output, which is also full of ObjectIds. We can use calculated properties to work around this:
Get-AzureADUser -SearchString user@domain.com | Get-AzureADUserMembership | ? {$_.ObjectType -ne "Role"} | % {Get-AzureADGroup -ObjectId $_.ObjectId | select DisplayName,ObjectType,MailEnabled,SecurityEnabled,ObjectId} | ftGet the list of objects the user is the Owner for
Get-Recipient -Filter "ManagedBy -eq 'CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=ABCDE01A001,DC=prod,DC=outlook,DC=com'" -RecipientTypeDetails GroupMailbox, MailUniversalDistributionGroup, MailUniversalSecurityGroup, DynamicDistributionGroup
To get the Owner information with the Azure AD PowerShell, one can use the Get-AzureADUserOwnedObject cmdlet. Example use of the cmdlet:
Get-AzureADUserOwnedObject -ObjectId 584b1b38-888c-4b85-8a71-c9766cb4791bHope you find this usefull: User Login History, Statistics and Activity Reports in the Office 365
Powershell to find all the Distribution Groups a user is a member of:
$cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $Session
Next, save the Username of the person looking for in a variable called Username
$Username = "abc.xyz@abc.org"Now I’ll use this cmdlet which will get all the Distribution Groups in my tenant, and then find the ones where my username is in the members.
$DistributionGroups= Get-DistributionGroup | where { (Get-DistributionGroupMember $_.Name | foreach {$_.PrimarySmtpAddress}) -contains "$Username"}You can now either display it, or do another action such as removing the user from all of them!