Direct Inward Dialing: +1 408 916 9890
In Microsoft Entra ID (formerly Azure Active Directory), effective group management is an integral part of a comprehensive user life cycle management strategy. Groups are used to assign and manage access to resources, applications, and services.
An employee's life cycle is comprised of many stages, from onboarding to role changes and eventual offboarding. One of the stages involves them getting disabled before they are permanently removed from the organization. These disabled users can still be a part of the group they are assigned to if they are not removed properly.
Administrators need to identify the disabled users in groups to ensure that access control and resource management remain secure. Disabled users, who are still part of active groups, can pose security risks by retaining access to sensitive resources and complicate group management. When attackers gain unauthorized access to admin accounts, they can exploit the properties of disabled users within privileged groups. This access allows them to impersonate disabled users and steal data, often without leaving any trace that leads back to the attacker.
By regularly identifying and removing these users, administrators can maintain accurate access permissions and ensure that only active, authorized individuals have the appropriate rights within the organization.
Administrators have to work with complex PowerShell scripts to identify groups with disabled users as the native Entra ID Admin Center does not have any method to view this data directly. This approach is not user-friendly, and to make matters more complicated, administrators have to sift through heaps of unfiltered data manually.
ManageEngine M365 Manager Plus is a comprehensive tool used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments. This can be used to identify groups with disabled users in Microsoft Entra ID.
This table is a comparison on how to identify groups with disabled users using Microsoft Entra ID and M365 Manager Plus.
Open PowerShell and execute the following script.
Connect-AzureAD; Get-AzureADUser -Filter "AccountEnabled eq false" | ForEach-Object { $user = $_; $groupNames = (Get-AzureADUserMembership -ObjectId $user.ObjectId | ForEach-Object { $_.DisplayName }) -join ', '; Write-Host "User: $($user.DisplayName)"; Write-Host "Groups: $groupNames"; Write-Host "" }
Effortlessly schedule and export reports on your Microsoft 365 environment.