fbpx
Active Directory & Office 365 Reporting Tool

Get-MgUserMemberOf – List Group Memberships of Azure AD User PowerShell. Have you been using Microsoft.Graph.Users PowerShell module and wonder how to use the Get-MgUserMemberOf cmdlet? This cmdlet lists the groups and directory roles to which an Azure AD user belongs. 

In other words, you use the Get-MgUserMemberOf command to display a list of all the group memberships of an Azure AD user. 

Unfortunately, running the Get-MgUserMemberOf command returns the group IDs and a blank DeletedDateTime property with no additional information. This guide shows how to use the Get-MgUserMemberOf command to produce helpful information. 

However, first you must install the Microsoft.Graph.Users PowerShell module.  Then, use the Connect-MgGraph command to authenticate to your Azure AD. 

Firstly, we show you how to install the required module and then authenticate to your Azure AD.

Install the Microsoft.Graph.Users PowerShell Module

The steps below guide you to install and import the Microsoft.Graph.Users PowerShell module you require to run the Get-MgUserMemberOf command. 

1. Open a PowerShell Session with Permission to run Downloaded Modules

By default, PowerShell sets Execution Policy to deny users from running scripts they download online. So, to bypass this limitation, you must open PowerShell with the Execution Policy that allows you to run downloaded scripts. 

1. Search “powershell” (without the quotes. Then, on the Windows PowerShell App options pane, click “Run as Administrator.” 

Your device prompts you to authorize the app to make changes – click Yes

2. Next, open another PowerShell session with permission to run scripts you download from the internet by running this command. 

				
					powershell.exe -ExecutionPolicy "RemoteSigned"
				
			

2. Install and Import Microsoft.Graph.Users PowerShell Module

Run this next command to install the Microsoft.Graph.Users PowerShell Module. Then, execute the next two commands beneath it to import the module and confirm it has been imported respectively. 

				
					Install-Module Microsoft.Graph.Users
				
			
				
					Import-Module Microsoft.Graph.Users
				
			
				
					Get-Module Microsoft.Graph.Users
				
			

For your reference, here is a screenshot of the four commands.

Determine Scope and Sign in to Azure AD from Microsoft Graph

Now that you have installed and imported the Microsoft.Graph.Users PowerShell Module on your PC, your next step is to determine the scope you need, then sign in to Azure AD with the scope. To do that, run the Connect-MgGraph command and specify the “scope” of the required permission. 

Microsoft uses permission scopes to protect APIs in the Microsoft Graph. So, before users access specific permission, they must agree to one of the needed scopes for the APIs they plan to use. 

Therefore, your first job is to determine the scope you require to accomplish the tasks you need to perform in Azure AD via Microsoft Graph. 

For this example, we need to list users to get the userID to run the Get-MgUserMemberOf.

In the next subsection, there is further information to determine the permission scope you need to run the Connect-MgGraph command.

How to Determine the Permission Scope You Require

In this section’s introduction, I mentioned that you need a particular permission scope to perform the tasks specific to running the Get-MgUserMemberOf command. What I haven’t said is that you need to run the Get-MgUser command to get the user’s ObjectID which you require to run Get-MgUserMemberOf command. 

What this means is that you need to determine the permission scope to run two commands in Azure AD – Get-MgUser and Get-MgUserMemberOf. To perform this task, you need the Find-MgGraphCommand command. 

To determine the permission scope you require for these commands, execute the two commands below:

				
					Find-MgGraphCommand -command Get-MgUser | Select -First 1 -ExpandProperty Permissions
				
			
				
					Find-MgGraphCommand -command Get-MgUserMemberOf | Select -First 1 -ExpandProperty Permissions
				
			

The first command lists the permission scopes you need to run Get-MgUser while the second command lists the scopes you require for Get-MgUserMemberOf. To learn more about the read Using Find-MgGraphCommand.

The screenshot below shows the results of the two commands. Beneath the screenshots, I explain how to interpret and use the results. 

The Find-MgGraphCommand command above returns four columns – Name, IsAdmin, Description, and FullDescription.

The Name column lists the permission scopes you require, while the IsAdmin specifies whether you need admin permission. Furthermore, the  Description and FullDescription columns explain what the permission scope means. 

In the updated screenshot below, I have highlighted the permission scopes we require to run the Get-MgUser, and Get-MgUserMemberOf commands based on the descriptions column. 

Specifically, to run the Get-MgUser command, you require the “User.Read.All” permission scope. This permission scope “Read all users’ full profiles.”

Similarly, the Get-MgUserMemberOf command requires the “GroupMember.Read.All” permission scope. This permission scope “read group memberships.” 

In the following subsection, you use these permission scopes to execute the Connect-MgGraph command and sign in to Azure AD. 

Try our Azure AD User and Group Reporting & Auditing Tools

Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.

Sign in to Azure AD with Connect-MgGraph with Relevant Permission Scopes

Execute the command below to sign in to Azure AD with the required scopes. When you copy the command to your PowerShell console and press Enter, PowerShell prompts you to sign in.

You must sign in with an administrator account and consent to grant Microsoft Graph PowerShell access to the specified scopes. 

				
					Connect-MgGraph -Scopes "User.Read.All", "GroupMember.Read.All"
				
			

In the first screen of the sign in prompt, enter an Azure AD or Office 365 email with admin privileges and click Next

Then, enter the password and click Sign in

Finally, review the Microsoft Graph PowerShell permission request, check the “Consent on behalf of your organization”, and click Accept. If all goes well, you should sign in successfully, and the PowerShell prompt should return. 

Before you proceed to the next section of this article, confirm scopes available in your PowerShell session by running the Get-MgContext command. 

				
					Get-MgContext | Select-Object -ExpandProperty Scopes
				
			

According to the screenshot below, my current PowerShell session has the required scopes – highlighted. 

Run Get-MgUserMemberOf Command to Return a User's Group Memberships

I already hinted that you need to run the Get-MgUser command before running the Get-MgUserMemberOf command. This is because you need the user’s UserID in the Get-MgUserMemberOf command. 

So, you use the Get-MgUser command to get that information. 

How to Get UserID with the Get-MgUser Command

When you run Get-MgUser without any parameters, PowerShell returns all users with the following properties Id, DisplayName, Mail, and UserPrincipalName

				
					Get-MgUser
				
			

Copy the Id of the user you want to get its memberships. 

If you know the UPN of a user, you could return that user by modifying the command as shown below the first one. 

				
					Get-MgUser | Where-Object {$_.UserPrincipalName -eq "user@domainname.com"}
				
			

Get a User's Group Membership with the User's UserID

In my introduction to this article, I mentioned that if you run the Get-MgUserMemberOf command, by default it returns the group IDs and a blank DeletedDateTime property with no additional information. To see this command in action, copy it to your PowerShell console and execute it by pressing the Enter key. 

				
					Get-MgUserMemberOf -UserId "user ID from the last command"
				
			

Before you execute the command, replace “user ID from the last command” with the user’s Id you copied from the Get-MgUser command. Here is the result of the command for a user in my Azure AD environment. 

There is no surprise here, as we expected this as the result of the command. So, how do we get the Get-MgUserMemberOf command to return other helpful information, like the names of the groups?

This requires a bit of coding, and I created a script that gets the command to return the names and IDs of the groups to which a user belongs. Here is the entire script. If it looks confusing, do not panic as I explain the script in the subsequent subsection. 

				
					$groups = Get-MgUserMemberOf -UserId "user ID from the last command" | Select-Object *
$groupdata = 
$groups | ForEach-Object {
$GroupIDs = $_.id
$otherproperties = $_.AdditionalProperties
$finalreport = "" | Select-Object -Property "Group Name","Group ID"
$finalreport.'Group Name' = $otherproperties.displayName
$finalreport.'Group ID' = $GroupIDs
$finalreport }
$groupdata
				
			

Get-MgUserMemberOf Script that Returns Helpful Information

Let’s start by explaining line 1 of the script.

				
					$groups = Get-MgUserMemberOf -UserId "user ID from the last command" | Select-Object *
				
			

Unlike the previous version of the command, in this version, I pipe the output of the Get-MgUserMemberOf to Select-Object. Then, I used the asterisks (*) wildcard to select all properties returned by Get-MgUserMemberOf. 

Also, to give me the flexibility to manipulate the objects, I saved the result of the command in the $grouops variable.

Then, line two defines another variable, $groupdata. Furthermore, the equality (=) operator next to this variable means that PowerShell saves the result of the ForEach-Object statement (lines 3 to 9) in the $groupdata variable.

Finally, to display the information in the variable, I called it in line 10. 

Here is the command in line 2

				
					$groupdata = 
				
			

Now, let me explain the ForEach-Object block and how I used it to return the Names and IDs for all the groups the user belongs to. 

Line 3: I piped the output of the $groups variable to the ForEach-Object statement. 

				
					$groups | ForEach-Object {
				
			

Line 4: extracts the group IDs from the pipeline variable, $_, within the ForEach-Object statement. I saved this in the $GroupIDs variable.

				
					$GroupIDs = $_.id
				
			

Line 5: The version of the Get-MgUserMemberOf without any filtering returns the IDs of the groups and another property called DeletedDateTime. In addition to those two properties, it produces multiple properties in another property called AdditionalProperties. 

I saved all these properties in a variable called $otherproperties in line 5. 

				
					$otherproperties = $_.AdditionalProperties
				
			

Line 6: creates a variable, $finalreport, that holds the two properties of the groups I want to return in my final result –
$finalreport = “” | Select-Object -Property.

 

Lines 7 and 8: add values to the report headings I defined in line 6. In line 7, I called the displayName property (one of the many properties I saved in the $otherproperties variable. 

The displayName property returns the names of the groups that a user belongs to. Similarly, in line 8, I added the group IDs saved in the $GroupIDs variable (line 4) in the ‘Group ID’ of the final report

				
					$finalreport = "" | Select-Object -Property "Group Name","Group ID"
$finalreport.'Group Name' = $otherproperties.displayName
				
			

In Line 9, I called all the values in the $finalreport variable. At this point, the user’s group IDs and Names is now saved in the $finalreport variable.

				
					$finalreport }
				
			

Finally, in line 10, I returned all the information saved in the $groupdata variable (from lin2 1). 

				
					$groupdata
				
			

Once again, here is the final script. The screenshot beneath the script shows the result of this script for a user in my Azure AD. 

The first column shows the names of the user’s group memberships, while the second column shows the group IDs. If you need help using sung this script, read my next subsection. 

				
					$groups = Get-MgUserMemberOf -UserId "user ID from the last command" | Select-Object *
$groupdata = 
$groups | ForEach-Object {
$GroupIDs = $_.id
$otherproperties = $_.AdditionalProperties
$finalreport = "" | Select-Object -Property "Group Name","Group ID"
$finalreport.'Group Name' = $otherproperties.displayName
$finalreport.'Group ID' = $GroupIDs
$finalreport }
$groupdata
				
			

How to Use the Custom Get-MgUserMemberOf Script

To use my custom Get-MgUserMemberOf script, follow the steps below:

1. Open PowerShell ISE as administrator. Then, follow the steps in this guide to sign in to Azure AD from PowerShell ISE. 

2. Next, get the ID of the user you want to return its group memberships. 

3. Finally, enter the user ID in line 1 of my script, select the whole script code, and choose “Run Selected (F8)”. 

Another way to run this script is to save it with the .ps1 extension. Then, from the PowerShell console you used to sign in to Azure AD, navigate to the path you saved the script and call the script as shown below:

				
					& '.\Get-MgUserMemberOf example.ps1'
				
			

The last command returns the same result as when I executed the script from PowerShell ISE. 

Sign Microsoft Graph PowerShell out from Azure AD

When you finish working on Azure AD via Microsoft Graph PowerShell, it is best practice to sign out. To Sign out, run the Disconnect-MgGraph command. 

				
					Disconnect-MgGraph
				
			

The command disconnects you, then displays some information about the session you just disconnected. 

Get-MgUserMemberOf – List Group Memberships of Azure AD User PowerShell Conclusion

It took some steps to ran the Get-MgUserMemberOf command! But by following this guide, you’ll realize that the steps are pretty straightforward.

Talking about the steps, it was as easy as installing the Microsoft.Graph.Users PowerShell Module, determine the permission scope you require and sign in to Azure AD. 

That is it! Hopefully, we made your day with this guide. 

InfraSOS-AD-Tools

Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Picture of Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *