M365Corner

Using Get-MgGroup with Remove-MgGroup: Managing Microsoft 365 Groups

Managing Microsoft 365 Groups effectively is a key responsibility for administrators to ensure a well-organized and secure collaboration environment. Pairing Get-MgGroup and Remove-MgGroup allows administrators to identify groups and delete them when they are no longer needed. This article demonstrates how to use these cmdlets together to streamline group management.

The Get-MgGroup cmdlet retrieves details about groups in Microsoft Entra ID (Azure AD), such as displayName, mail, and groupTypes. The Remove-MgGroup cmdlet enables administrators to delete groups, freeing up resources and maintaining an organized directory. Combining these cmdlets ensures that only relevant groups remain active, enhancing tenant efficiency and security.

Usage Example: Identifying and Removing a Group


# Step 1: Retrieve the group's details
$groupName = "Project Alpha Team"  # Replace with the group's display name

try {
    $group = Get-MgGroup -Filter "displayName eq '$groupName'"
    if ($group) {
        Write-Output "Group Found:"
        Write-Output "Group Name: $($group.DisplayName)"
        Write-Output "Group ID: $($group.Id)"
        Write-Output "Group Mail: $($group.Mail)"
        Write-Output "Group Type: $($group.GroupTypes -join ', ')"
    } else {
        Write-Error "Group not found."
        return
    }
} catch {
    Write-Error "Failed to retrieve group details: $_"
}

# Step 2: Remove the group
try {
    Remove-MgGroup -GroupId $group.Id 
    Write-Output "Group '$($group.DisplayName)' has been removed successfully."
} catch {
    Write-Error "Failed to remove group: $_"
}

Cmdlet Tips

  • Verify Group Details Before Deletion: Use Get-MgGroup to verify the group's details before deleting it, ensuring you don't accidentally remove the wrong group.
  • Filter Groups for Precision: Use the -Filter parameter with Get-MgGroup to locate specific groups based on properties like displayName, groupTypes, or mail:
    • Get-MgGroup -Filter "groupTypes/any(c:c eq 'Unified') and startswith(displayName, 'Project')"
  • Soft Delete Behavior: By default, Remove-MgGroup soft-deletes the group. It can be restored within 30 days using Restore-MgDeletedGroup:
    • Restore-MgDeletedGroup -GroupId "deleted-group-id"
  • Hard Delete: To permanently delete a group, soft-delete it first, then purge it using Remove-MgDeletedGroup:
    • Remove-MgDeletedGroup -GroupId "deleted-group-id"
  • Bulk Deletion: To delete multiple groups, loop through a list of group IDs or use filters:
    • $groups = Get-MgGroup -Filter "groupTypes/any(c:c eq 'Unified') and endswith(displayName, 'Team')"
foreach ($group in $groups) {
    Remove-MgGroup -GroupId $group.Id -Force
}

Use Cases

  1. Cleaning Up Obsolete Groups: Identify and remove groups that are no longer in use, such as project-specific Teams after project completion.
  2. Auditing and Optimization: Regularly audit the directory to find and delete unused or duplicate groups, ensuring a clean and efficient tenant.
  3. Responding to Security Incidents: Quickly remove groups that may have been created improperly or pose a security risk.
  4. Compliance with Policies: Enforce naming conventions and group types by identifying and removing groups that do not comply with organizational policies.
  5. Bulk Group Cleanup: Handle large-scale directory updates during tenant migrations, mergers, or restructuring by identifying and removing unnecessary groups.

Possible Errors & Solutions

Error Message Cause Solution
Group Not Found Group name or ID is incorrect or doesn’t exist Verify the group's details using Get-MgGroup
Access Denied Insufficient permissions Assign Group.ReadWrite.All or Directory.ReadWrite.All permissions.
Cannot Delete Group in Use Group is still active or has dependencies Ensure no active resources are associated with the group before deletion.
Too Many Requests API throttling due to bulk operations Implement a delay between requests or use batching for large operations.
Cannot Hard Delete Attempt to permanently delete without soft-deleting first Use Remove-MgGroup, then Remove-MgDeletedGroup to purge.

Conclusion

Pairing Get-MgGroup and Remove-MgGroup offers administrators a streamlined way to manage Microsoft 365 Groups. Whether cleaning up obsolete groups, enforcing compliance, or responding to security incidents, these cmdlets provide a powerful solution for maintaining a well-organized and secure directory.

By incorporating these tools into your workflows, you can enhance collaboration, improve directory hygiene, and ensure that your tenant remains efficient and secure.

Suggested Reading

Using Get-MgGroup to fetch Microsoft 365 groups
Using Remove-MgGroup to remove or delete Microsoft 365 groups
Table of Contents

X

Table of Contents

© m365corner.com. All Rights Reserved. Design by HTML Codex