M365Corner

🔧 New: User Management Graph PowerShell Toolkit

Simplify user tasks like bulk creation, updates, password resets, deletions, license checks & more — all from one place.

🚀 Launch Toolkit
M365 PowerShell

Fetch Security Groups Using Graph PowerShell

When managing users and resources in Microsoft 365, it's essential for administrators to have quick access to information about security groups—especially those that are mail-enabled. Microsoft Graph PowerShell offers an efficient way to retrieve these groups using filters.

This article provides two ready-to-use scripts:

  • One to fetch all security-enabled groups.
  • Another to fetch only mail-enabled security groups.

Both scripts connect to Microsoft Graph and retrieve the relevant group information using precise filter logic.


i) The Script

Script for Fetching Only Security Groups

# Ensure the Microsoft Graph PowerShell module is installed
Install-Module Microsoft.Graph -Scope CurrentUser -Force
                                
# Connect to Microsoft Graph with necessary scopes
Connect-MgGraph -Scopes "Group.Read.All"
                                
# Fetch only security-enabled groups
$securityGroups = Get-MgGroup -Filter "securityEnabled eq true" -Property Id,DisplayName,MailEnabled,SecurityEnabled
                                
# Display the results in console
$securityGroups | Select-Object Id, DisplayName, MailEnabled, SecurityEnabled | Format-Table -AutoSize

Script for Fetching Only Mail-Enabled Security Groups

# Ensure the Microsoft Graph PowerShell module is installed
Install-Module Microsoft.Graph -Scope CurrentUser -Force
                                
# Connect to Microsoft Graph with necessary scopes
Connect-MgGraph -Scopes "Group.Read.All"
                                
# Fetch mail-enabled security groups only
$mailSecurityGroups = Get-MgGroup -Filter "mailEnabled eq true and securityEnabled eq true" -Property Id,DisplayName,MailEnabled,SecurityEnabled
                                
# Display the results in console
$mailSecurityGroups | Select-Object Id, DisplayName, MailEnabled, SecurityEnabled | Format-Table -AutoSize

ii) How the Script Works

Both scripts leverage the Get-MgGroup cmdlet from the Microsoft Graph PowerShell SDK to filter groups based on specific properties:

  • securityEnabled eq true: Returns groups used for security purposes, such as assigning permissions.
  • mailEnabled eq true and securityEnabled eq true: Narrows the result to groups that support both mail functionalities and security, known as mail-enabled security groups.

The -Property parameter is used to limit the response to relevant fields: Id, DisplayName, MailEnabled, and SecurityEnabled. The output is then formatted neatly using Format-Table.


iii) Further Enhancing the Script

You can expand these scripts further to meet complex administrative needs:

  • Export the results to CSV:
    • $securityGroups | Select-Object Id, DisplayName, MailEnabled, SecurityEnabled | Export-Csv "SecurityGroups.csv" -NoTypeInformation
  • Add pagination for large tenants:
    • $groups = Get-MgGroup -All -Filter "securityEnabled eq true"
  • Include additional group properties:

    • If needed, fetch GroupTypes, CreatedDateTime, or Visibility by updating the -Property parameter accordingly.

  • Filter by display name (e.g., starts with “HR”):
    • Get-MgGroup -Filter "startswith(DisplayName,'HR') and securityEnabled eq true"


iv) Possible Errors & Solutions

Error Message Cause Solution
Insufficient privileges to complete the operation The signed-in user lacks the Group.Read.All permission. Connect using Connect-MgGraph -Scopes "Group.Read.All". Admin consent may be required.
Unknown function ‘startswith’ in filter clause You're using unsupported functions without the correct consistency level. Use -ConsistencyLevel eventual along with your query.
Invalid filter clause Filter conditions are improperly written (e.g., missing quotes or wrong syntax). Ensure correct syntax like "mailEnabled eq true and securityEnabled eq true".

Conclusion

Retrieving Microsoft 365 security groups via Graph PowerShell simplifies group management and auditing. Whether you're listing all security groups or narrowing down to mail-enabled ones, these scripts offer reliable, extensible starting points.

With added enhancements like CSV export or display name filtering, you can customize these commands to suit your organization's structure and policies.

💡 Consider scheduling these scripts as part of regular compliance or permission audits to keep your M365 environment secure and well-organized.


Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex