Users Not in Any Groups in Microsoft : Risks and Management Guide

By /

Listen to this Post

Users not part of any groups in Microsoft 365 face significant security and operational risks. These users bypass critical group-based policies such as Multi-Factor Authentication (MFA) enforcement via Conditional Access (CA), license assignments, and other security configurations.

Why This Matters:

  • Security Risks: Without MFA enforcement, accounts are more vulnerable to breaches.
  • License Management Issues: Manual license assignment becomes cumbersome.
  • Policy Gaps: Missing out on group-based security and compliance policies.

AdminDroid’s Guide to Identify and Manage These Users:

Find and Manage Users with No Group Memberships in Microsoft 365

You Should Know:

  1. PowerShell Commands to Find Users Not in Any Groups
    Connect to Azure AD 
Connect-AzureAD

Get all users 
$AllUsers = Get-AzureADUser -All $true

Find users with no group memberships 
$UsersNoGroups = @() 
foreach ($User in $AllUsers) { 
$Groups = Get-AzureADUserMembership -ObjectId $User.ObjectId 
if ($Groups.Count -eq 0) { 
$UsersNoGroups += $User 
} 
}

Export to CSV 
$UsersNoGroups | Select-Object DisplayName, UserPrincipalName | Export-Csv -Path "Users_No_Groups.csv" -NoTypeInformation

2. Automate Group Assignment with PowerShell

 Assign a user to a security group 
Add-AzureADGroupMember -ObjectId "<GroupObjectID>" -RefObjectId "<UserObjectID>"
  1. Enforce MFA via Conditional Access (Azure Portal Steps)
  2. Go to Azure AD > Security > Conditional Access.
  3. Create a new policy targeting All Users (excluding emergency accounts).

3. Under Access Controls, enable Require MFA.

4. Enable the policy.

4. Linux Alternative: Check Azure AD via CLI

 Install Azure CLI 
sudo apt install azure-cli

Login 
az login

List users without groups (using jq for JSON parsing) 
az ad user list --query "[?length(memberOf)==0].{Name:displayName,UPN:userPrincipalName}" -o json | jq

What Undercode Say:

Managing users outside of groups in Microsoft 365 introduces unnecessary risks. Automated group policies streamline security (MFA, licensing) and reduce administrative overhead. Use PowerShell or Azure CLI to audit and remediate ungrouped users. For large enterprises, consider scripting regular audits to ensure compliance.

Key Commands Recap:

  • PowerShell: Get-AzureADUser, Get-AzureADUserMembership, `Add-AzureADGroupMember`
  • Azure CLI: az ad user list, `az login`
  • Conditional Access: Enforce MFA via Azure Portal policies.

Expected Output:

A structured report (Users_No_Groups.csv) listing users without group memberships, ready for remediation.

References:

Reported By: Jake Admindroid – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: