Support
 
PhoneGet Quote
 
Support
 
US Sales: +1 888 720 9500
US Support: +1 844 245 1108
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9890

 
 

How to identify groups with disabled users in Microsoft Entra ID?

In Microsoft Entra ID (formerly Azure Active Directory), effective group management is an integral part of a comprehensive user life cycle management strategy. Groups are used to assign and manage access to resources, applications, and services.

An employee's life cycle is comprised of many stages, from onboarding to role changes and eventual offboarding. One of the stages involves them getting disabled before they are permanently removed from the organization. These disabled users can still be a part of the group they are assigned to if they are not removed properly.

Why do we need to identify groups with disabled users in Entra ID?

Administrators need to identify the disabled users in groups to ensure that access control and resource management remain secure. Disabled users, who are still part of active groups, can pose security risks by retaining access to sensitive resources and complicate group management. When attackers gain unauthorized access to admin accounts, they can exploit the properties of disabled users within privileged groups. This access allows them to impersonate disabled users and steal data, often without leaving any trace that leads back to the attacker.

By regularly identifying and removing these users, administrators can maintain accurate access permissions and ensure that only active, authorized individuals have the appropriate rights within the organization.

Identifying groups with disabled users using Microsoft Entra ID and M365 Manager Plus

Administrators have to work with complex PowerShell scripts to identify groups with disabled users as the native Entra ID Admin Center does not have any method to view this data directly. This approach is not user-friendly, and to make matters more complicated, administrators have to sift through heaps of unfiltered data manually.

ManageEngine M365 Manager Plus is a comprehensive tool used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments. This can be used to identify groups with disabled users in Microsoft Entra ID.

This table is a comparison on how to identify groups with disabled users using Microsoft Entra ID and M365 Manager Plus.

Microsoft Entra ID

Steps to identify groups with disabled users in Entra ID using Windows PowerShell

Open PowerShell and execute the following script.

Connect-AzureAD; Get-AzureADUser -Filter "AccountEnabled eq false" | ForEach-Object { $user = $_; $groupNames = (Get-AzureADUserMembership -ObjectId $user.ObjectId | ForEach-Object { $_.DisplayName }) -join ', '; Write-Host "User: $($user.DisplayName)"; Write-Host "Groups: $groupNames"; Write-Host "" }           
                
 Copied

Click to copy entire script

M365 Manager Plus

Steps to identify groups with disabled users in Entra ID using M365 Manager Plus

  1. Log in to M365 Manager Plus and navigate to the Reports tab > Azure Active Directory > Group Reports > Member Based Reports > Groups with Disabled Users.
  2. Select the Microsoft 365 Tenant and click Generate Now to generate the list of groups with disabled users.
    The Groups with Disabled Users report with the Generate Now button in the top-left of the report.

Limitations of using native tools to identify groups with disabled users in Entra ID

  • Admins need to spend a lot of time executing complex PowerShell scripts.
  • Administrators must be assigned at least the Reports Reader role to fetch results using this PowerShell script.
  • Reports generated using PowerShell cannot be exported.
  • Reports cannot be filtered, which can get exhausting as the admin has to sift through heaps of unfiltered data manually.

Benefits of using M365 Manager Plus to identify groups with disabled users in Entra ID

Effortlessly schedule and export reports on your Microsoft 365 environment.

Try now for free

  • Streamline your Microsoft 365 governance and administration with M365 Manager Plus

Related Resources

A holistic Microsoft 365 administration and security solution
 
x