How to use Get-MgGroupMember in Powershell

Managing group memberships in Microsoft 365 is an important task for IT admins, especially in large organizations where access control is a priority.

The Get-MgGroupMember cmdlet in Microsoft Graph PowerShell makes it easy to pull a list of all direct members of a group, whether they’re users, devices, or service principals.

In this guide, we’ll walk you through using Get-MgGroupMember step by step, from installation to exporting results, so you can streamline your workflow and keep your groups organized!

What Is the Get-MgGroupMember PowerShell Command?

Get-MgGroupMember is a Microsoft Graph PowerShell cmdlet that retrieves the direct members of a specified Microsoft 365 group.

These members can include users, devices, service principals, organizational contacts, or even other groups. However, it doesn’t return nested or transitive members—only those directly assigned to the group.

Here’s the syntax of Get-MgGroupMember:

What Are the Uses of the Get-MgGroupMember Cmdlet?

Let’s take a look at three use cases for Get-MgGroupMember:

1. Auditing Group Membership: Keeping track of who has access to specific groups is essential for security and compliance. With Get-MgGroupMember, you can quickly retrieve a list of all direct members of a group, including users, devices, and service principals. This simplifies reviewing permissions, detecting unauthorized access, and maintaining accurate records of group membership over time.
2. Automating User Management: Managing group memberships manually can be time-consuming, especially in large organizations. By using this cmdlet in PowerShell scripts, you can automate tasks such as monitoring group changes, removing inactive users, or synchronizing memberships with external databases.
3. Security and Compliance Checks: Organizations must regularly review group memberships to comply with security policies and industry regulations. Get-MgGroupMember can be used to generate reports on group access, helping IT teams identify potential risks, enforce least-privilege access, and ensure compliance with internal policies or external standards.

Prerequisites to Run The Get-MgGroupMember Command in PowerShell

Before using the Get-MgGroupMember cmdlet, ensure you meet the following requirements:

• Microsoft Graph PowerShell Module: You need to have the Microsoft.Graph module installed and imported into your PowerShell session.
• App-Only Permissions: This cmdlet does not support delegated permissions for user accounts. You must use an application with the required Microsoft Graph API permissions.
• Required Permissions: Your app must be granted one of the following permissions: GroupMember.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Group.Read.All or Directory.Read.All.
• Authentication: As usual, you need to authenticate using Connect-MgGraph before running the cmdlet. Ensure your app has the correct permissions and that you use the appropriate tenant and scopes.
• Group ID Requirement: To retrieve members, you need the unique identifier (GroupId) of the Microsoft 365 group you want to query. You can find it using Get-MgGroup.

How to Use Get-MgGroupMember PowerShell Cmdlet in Just 5 Steps

Now, let’s go through five quick steps to start using this command immediately:

1. Install the Microsoft Graph PowerShell Module

Before running the cmdlet, ensure you have the Microsoft Graph PowerShell module installed, as mentioned above. This module replaces the older Azure AD module and provides access to Microsoft 365 services.

If you haven’t installed it yet, open PowerShell as an administrator and run:

If the module is already installed, update it to the latest version using:

2. Connect to Microsoft Graph

Once the module is installed, you need to authenticate and establish a session with Microsoft Graph. Since Get-MgGroupMember supports only application-level permissions, you'll need the correct API scopes. Run the following command to sign in:

If your organization requires admin consent for certain permissions, you may need to request approval before proceeding.

3. Find the Group ID

To retrieve group members, you need the unique identifier (GroupId) of the Microsoft 365 group. If you don’t already have it, you can find it using the following command:

Replace 'Your Group Name' with the actual name of your group. This will return the group's ID, which you'll use in the next step.

4. Get the Members of the Group by Running the Command

Now that you have the Group ID, you can retrieve its members using Get-MgGroupMember. Run:

This command will list all direct members of the group, including users, devices, service principals, and other groups. However, it does not return nested group members—only those directly assigned to the group.

If you want to see specific details, such as user names and emails, you can modify the command like this:

5. Export the Results for Reporting

If you're auditing group memberships, you may want to save the results for further analysis. You can export the data to a CSV file using:

This creates a CSV file with the list of group members, which you can open in Excel or share with your team.

Wrapping Up: Using Get-MgGroupMember Efficiently in PowerShell and Microsoft Graph

As you can see, the Get-MgGroupMember cmdlet is a simple yet essential tool for managing group memberships in Microsoft 365. Here’s a quick recap of what we covered:

• Retrieving Group Members – With a single command, you can list all direct members of a Microsoft 365 group, including users, devices, and service principals.
• Exporting and Managing Data – You can refine results using filters and export them to CSV for audits, reports or further analysis.
• Troubleshooting Issues – If the cmdlet isn’t returning results, check that you have the correct permissions, an active Graph session and the right Group ID.