How to identify groups with disabled users in Microsoft Entra ID?

In Microsoft Entra ID (formerly Azure Active Directory), effective group management is an integral part of a comprehensive user life cycle management strategy. Groups are used to assign and manage access to resources, applications, and services.

An employee's life cycle is comprised of many stages, from onboarding to role changes and eventual offboarding. One of the stages involves them getting disabled before they are permanently removed from the organization. These disabled users can still be a part of the group they are assigned to if they are not removed properly.

Why do we need to identify groups with disabled users in Entra ID?

Administrators need to identify the disabled users in groups to ensure that access control and resource management remain secure. Disabled users, who are still part of active groups, can pose security risks by retaining access to sensitive resources and complicate group management. When attackers gain unauthorized access to admin accounts, they can exploit the properties of disabled users within privileged groups. This access allows them to impersonate disabled users and steal data, often without leaving any trace that leads back to the attacker.

By regularly identifying and removing these users, administrators can maintain accurate access permissions and ensure that only active, authorized individuals have the appropriate rights within the organization.

Identifying groups with disabled users using Microsoft Entra ID and M365 Manager Plus

Administrators have to work with complex PowerShell scripts to identify groups with disabled users as the native Entra ID Admin Center does not have any method to view this data directly. This approach is not user-friendly, and to make matters more complicated, administrators have to sift through heaps of unfiltered data manually.

ManageEngine M365 Manager Plus is a comprehensive tool used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments. This can be used to identify groups with disabled users in Microsoft Entra ID.

This table is a comparison on how to identify groups with disabled users using Microsoft Entra ID and M365 Manager Plus.

    Connect-AzureAD; Get-AzureADUser -Filter "AccountEnabled eq false" | ForEach-Object { $user = $_; $groupNames = (Get-AzureADUserMembership -ObjectId $user.ObjectId | ForEach-Object { $_.DisplayName }) -join ', '; Write-Host "User: $($user.DisplayName)"; Write-Host "Groups: $groupNames"; Write-Host "" }           
                    

Limitations of using native tools to identify groups with disabled users in Entra ID

• Admins need to spend a lot of time executing complex PowerShell scripts.
• Administrators must be assigned at least the Reports Reader role to fetch results using this PowerShell script.
• Reports generated using PowerShell cannot be exported.
• Reports cannot be filtered, which can get exhausting as the admin has to sift through heaps of unfiltered data manually.

Benefits of using M365 Manager Plus to identify groups with disabled users in Entra ID

• Effortlessly identify groups with disabled users without the need to memorize or execute complex PowerShell scripts.
• Delegate granular permissions to technicians without elevating their Microsoft 365 privileges, and create custom roles with any combination of reporting, management, and auditing tasks.
• Export the generated reports to CSV, PDF, XLSX, and HTML formats.
• Granular filtering options in the reports help you find the data you need without wasting valuable business hours.
• Gain a thorough understanding of your environment in Microsoft Entra ID, Exchange Online, SharePoint Online, OneDrive for Business, and other Microsoft 365 services with detailed reports from a single console.
• Keep tabs on even the most granular user activities in your Microsoft 365 environment.
• Manage users, mailboxes, groups, sites, and contacts effortlessly in bulk without PowerShell scripting.
• Monitor the health and performance of Microsoft 365 features and endpoints around the clock.