M365 Glossary

Get-MgGroupMemberAsUser

What is Get-MgGroupMemberAsUser?

Get-MgGroupMemberAsUser is a Microsoft Graph PowerShell cmdlet used to retrieve only user objects that are direct members of a Microsoft 365 group, security group, or mail-enabled security group.

Unlike Get-MgGroupMember, which returns all directory object types (users, devices, service principals, contacts, nested groups), this cmdlet filters the output to return only users.

This makes it especially useful when you need clean, user-only membership data without additional filtering.

🚀 Community Edition Released!

Try the M365Corner Microsoft 365 Reporting Tool — your DIY pack with 20+ out-of-the-box M365 reports for Users, Groups, and Teams.

📥 Get it on GitHub ℹ️ Know More

Why Use Get-MgGroupMemberAsUser?

In many administrative scenarios, you only care about user accounts — not devices or service principals.

Common Scenarios

Exporting group members for audits
Validating license assignments
Reviewing security group membership
Preparing access review reports
Troubleshooting permission issues
Cleaning up privileged groups

Using Get-MgGroupMemberAsUser:

✔ Eliminates non-user objects automatically
✔ Simplifies reporting scripts
✔ Reduces post-processing filtering
✔ Improves script readability

For reporting-heavy environments, this cmdlet saves time and improves script clarity.

Prerequisites

Before running this cmdlet:

Microsoft Graph PowerShell SDK installed
Connected to Microsoft Graph
Required API permissions granted

Required API Permissions

Delegated Permissions

Group.Read.All
Directory.Read.All

Application Permissions (For automation)

Group.Read.All
Directory.Read.All

⚠️ Admin consent is required for Directory-level permissions.

Install Microsoft Graph (If Needed)

Install-Module Microsoft.Graph -Scope CurrentUser

Connect to Microsoft Graph

Connect-MgGraph -Scopes "Group.Read.All","Directory.Read.All"

How to use Get-MgGroupMemberAsUser?

Syntax

Get-MgGroupMemberAsUser -GroupId  <String>

Parameter Explanation

Parameter	Description
-GroupId	The Object ID of the group

The GroupId must be the GUID, not the display name.

Get-MgGroupMemberAsUser Examples

Example 1: Passing GroupId when requested by the console

Get-MgGroupMemberAsUser

When run without parameters, the cmdlet prompts you to enter the GroupId.

After providing it, the cmdlet returns only the user objects that are direct members of the group.

Example 2: Passing GroupId directly

Get-MgGroupMemberAsUser -GroupID efba43ca-ff99-4f70-b2c5-a97e9dbb75d2

This command retrieves all direct user members of the specified group, excluding:

Devices
Service principals
Contacts
Nested groups

Useful For

Security audits
License validation
Conditional access review
Privileged group inspection

Example 3: Exporting the results to CSV

Get-MgGroupMemberAsUser -GroupID efba43ca-ff99-4f70-b2c5-a97e9dbb75d2 | Export-CSV D:/AbnormalSecurityGroup.csv -NoTypeInformation

This exports the list of user members to a CSV file.

Why Export?

Share membership list with management
Submit for compliance review
Compare historical membership
Feed into automation workflows

Important Notes

Returns only direct user members (not transitive members).
Nested group members are not expanded.
GroupId must be a valid GUID.
Works for Microsoft 365 groups and security groups.
Use -All parameter if handling large groups (pagination scenarios).

Example with pagination:

Get-MgGroupMemberAsUser -GroupId efba43ca-ff99-4f70-b2c5-a97e9dbb75d2 -All

Did You Know? Managing Microsoft 365 applications is even easier with automation. Try our Graph PowerShell scripts to automate tasks like generating reports, cleaning up inactive Teams, or assigning licenses efficiently.

Ready to get the most out of Microsoft 365 tools? Explore our free Microsoft 365 administration tools to simplify your administrative tasks and boost productivity.