Share via

How to get a report showing all Entra groups assigned to a user?

Kim M 20 Reputation points
2025-11-05T21:52:09.99+00:00

I need a report from Entra that shows all Groups (distribution, security, M365 - assigned or dynamic) assigned to every employee in our organization. Our Technology Manager ran a query against Entra. The report has all the employees but does not have all Groups assigned for every employee. Very few show all Groups assigned, but most employees do not show all Groups assigned. There isn't any consistency of what Groups are showing either - distribution, security, M365, an assigned group, or a dynamic group. This report needs to be as accurate as possible and a source of truth for auditing purposes.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Answer accepted by question author
  1. Marcin Policht 68,535 Reputation points MVP Volunteer Moderator
    2025-11-05T22:12:39.71+00:00

    To accomplish your objective, you should use the Microsoft Graph PowerShell SDK to query each user and enumerate their group memberships, then export the results to CSV for auditing.

    Step 1: Install Microsoft Graph PowerShell If not already installed:

    Install-Module Microsoft.Graph -Scope AllUsers Import-Module Microsoft.Graph

    Step 2: Connect with directory permissions You must have Directory.Read.All and Group.Read.All at minimum:

    Connect-MgGraph -Scopes "User.Read.All","Group.Read.All","Directory.Read.All"

    Approve admin consent if prompted.

    Step 3: Run the group membership export script:

    # Get All Users
$Users = Get-MgUser -All -Property Id, DisplayName, UserPrincipalName
$Report = foreach ($User in $Users) {
    # Get All Group Memberships (Security, M365, Distribution, Dynamic)
    $Groups = Get-MgUserMemberOf -UserId $User.Id -All | Where-Object { $_.ODataType -eq "#microsoft.graph.group" }
    foreach ($Group in $Groups) {
        # Resolve group type attributes
        $GroupDetails = Get-MgGroup -GroupId $Group.Id -Property DisplayName, GroupTypes, SecurityEnabled, MailEnabled, Mail
        [PSCustomObject]@{
            UserDisplayName     = $User.DisplayName
            UserPrincipalName   = $User.UserPrincipalName
            GroupName           = $GroupDetails.DisplayName
            GroupId             = $GroupDetails.Id
            SecurityGroup       = $GroupDetails.SecurityEnabled
            M365Group           = $GroupDetails.GroupTypes -contains "Unified"
            DistributionGroup   = ($GroupDetails.MailEnabled -and -not $GroupDetails.SecurityEnabled)
            DynamicGroup        = $GroupDetails.GroupTypes -contains "DynamicMembership"
        }
    }
}
# Export to CSV
$Report | Export-Csv "C:\Reports\All_User_Group_Membership_Report.csv" -NoTypeInformation -Encoding UTF8

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.