SharePoint Online: Find All Active Directory Security Groups in a Site Collection

Requirement: Get All AD Security Groups in a SharePoint Online Site.

PowerShell to Find All AD Groups in SharePoint Online:

In many organizations, Active Directory groups are used to manage access and permissions for SharePoint Online sites and content. Often, new groups are created as needed, and old groups may go unused or even forgotten. So, you may want to find all the AD groups in your SharePoint Online tenancy and determine their membership for troubleshooting or auditing purposes. Fortunately, this task can be easily accomplished using PowerShell. This blog post will show you how to use PowerShell to find all the AD groups in your SharePoint Online tenancy.

Here is the PowerShell to get all active directory domain groups from SharePoint Online site collection:

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
   
#Set Variables for Site URL
$SiteURL= "https://crescent.sharepoint.com/sites/marketing/"
$ADGroupCollection= @()
 
#Setup Credentials to connect
$Cred = Get-Credential
 
Try {
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)
 
    #Get all Users
    $Users=$Ctx.Web.SiteUsers
    $Ctx.Load($Users)
    $Ctx.ExecuteQuery()
 
    #Filter AD Groups from Users collection
    $ADGroups  = $Users | Where {$_.PrincipalType -eq "SecurityGroup"}

    #Get Each AD Group details
    Foreach($Group in $ADGroups)
    {
        #Get SharePoint Groups of the AD Group
        $Ctx.Load($Group.Groups)
        $Ctx.ExecuteQuery()
        $GroupNames = $Group.Groups | Select -ExpandProperty Title

        #Getting the members
        $ADGroup = new-object psobject
        $ADGroup | add-member noteproperty -name "AD Group Name" -value $Group.Title
        $ADGroup | add-member noteproperty -name "SP Group Membership" -value ($GroupNames -join "; ")
        #Add to Array
        $ADGroupCollection+=$ADGroup 
    }
    #Get the results
    $ADGroupCollection
}
Catch {
    write-host -f Red "Error getting AD Groups:" $_.Exception.Message
}

Get AD Groups in a Site Collection using SharePoint Online Management Shell:

This time, let’s retrieve AD security groups with the help of the SharePoint Online management shell.

#Set Config Variables
$AdminCenterURL = "https://crescent-admin.sharepoint.com"
$SiteURL = "https://crescent.sharepoint.com/sites/marketing"
$ADGroupCollection= @()

#Connect to SharePoint Online
Connect-SPOService -URL $AdminCenterURL

#Get All AD Security Groups from the site collection
$ADGroups = Get-SPOUser -Site $SiteUrl -Limit All | Where { $_.IsGroup -and $_.DisplayName -ne "Everyone" -and $_.DisplayName -ne "Everyone except external users" }
 
#Iterate through each AD Group
Foreach($Group in $ADGroups)
{
        #Send Data to an object array
        $ADGroup = new-object psobject
        $ADGroup | add-member noteproperty -name "Group Name" -value $Group.DisplayName
        $ADGroup | add-member noteproperty -name "SharePoint Groups" -value ($Group.Groups -join ",")
        #Add to Array
        $ADGroupCollection+=$ADGroup          
}
#Get the Data
$ADGroupCollection

Make sure you have SharePoint Online Management Shell installed in your client machine before executing the script.

Export Active Directory Groups of All Site Collections using PowerShell:

Now, let’s modify the above script a bit to extract AD groups from all site collections in the tenant and export them to a CSV report.

#Set Config Variables
$AdminCenterURL = "https://crescent-admin.sharepoint.com"
$ADGroupCollection= @()
$ReportPath ="C:\Temp\ADGroups.csv"

#Connect to SharePoint Online
Connect-SPOService -URL $AdminCenterURL

#Get All Site Collections from the tenant
$Sites  = Get-SPOSite -Limit ALL

#Iterate through each site collection
ForEach($Site in $Sites)
{
    Write-host "Processing Site Collection:"$Site.URL -f Yellow

    #Get All AD Groups / Office 365 Groups from the site collection
    $ADGroups = Get-SPOUser -Site $Site.Url -Limit All | Where { $_.IsGroup -and $_.DisplayName -Notin ("Everyone","Everyone except external users", "Company Administrator", "SharePoint Service Administrator","All Users `(windows`)") }
 
    #Iterate through each AD Group
    Foreach($Group in $ADGroups)
    {
            #Send Data to an object array
            $ADGroup = new-object psobject
            $ADGroup | add-member noteproperty -name "Site Name" -value $Site.Title
            $ADGroup | add-member noteproperty -name "URL" -value $Site.URL
            $ADGroup | add-member noteproperty -name "Group Name" -value $Group.DisplayName
            $ADGroup | add-member noteproperty -name "SharePoint Groups" -value ($Group.Groups -join ",")
            #Add to Array
            $ADGroupCollection+=$ADGroup          
    }
}
#Export Data to CSV
$ADGroupCollection
$ADGroupCollection | export-csv $ReportPath -notypeinformation
Write-host "SharePoint Online Domain Groups data exported to a CSV file at:"$ReportPath -ForegroundColor Cyan

Make sure you have permissions to all site collections; otherwise, you may get: “Access denied. You do not have permission to perform this action or access this resource.” error!

SharePoint Online Find All Active Directory Groups

Can I search for a specific AD Group on all sites? Sure, Just change line #18 to:

$ADGroups = Get-SPOUser -Site $Site.Url -Limit All | Where { $_.IsGroup -and $_.DisplayName -ne "Everyone" -and $_.DisplayName -ne "Everyone except external users" -and $_.DisplayName -like '*ADSecurityGroupName*' }

PnP PowerShell to Find All Active Directory Groups and Office 365 Groups in SharePoint Online

Here is the PnP PowerShell script version to extract all AD Groups, including Office 365 groups in SharePoint Online sites.

#Parameters
$AdminCenterUrl = "https://Crescent-admin.sharepoint.com"
$CSVPath = 'c:\Temp\ADGroupsInSPO.csv'

#Connect to SharePoint admin center
Connect-PnPOnline -Url $AdminCenterUrl -Interactive

#Get all SharePoint sites
$Sites = Get-PnPTenantSite
$Report = @()

#Loop through each site
ForEach ($Site in $Sites)
{
    Try {
        Write-host "Processing Site:"$Site.URL -f Yellow
        Connect-PnPOnline -Url $Site.Url -Interactive
        $ADGroups = Get-PnPUser | Where { $_.PrincipalType -eq "SecurityGroup" -and $_.Title -Notin ("Everyone","Everyone except external users", "Company Administrator", "SharePoint Service Administrator","All Users `(windows`)") }

        ForEach ($Group in $ADGroups)
        {
            $Report += New-Object Pscustomobject -Property @{
            SiteURL = $Site.URL
            GroupName = $Group.Title
            LoginName = $Group.LoginName
            GroupEmail = $Group.Email
            }
        }        
    }
    Catch {
        continue;
   }
}

$Report
 
#Generate a CSV file from the data
$Report | Export-Csv $CSVPath -NoTypeInformation

In summary, By using PowerShell scripts, administrators can find all Active Directory security groups associated with a SharePoint Online site collection. This information can be used for auditing purposes, to revoke access for a group of users, or for other administrative tasks. Finding all Active Directory security groups in a SharePoint Online site collection is an essential tool for administrators who want to maintain the security and integrity of their SharePoint environment.

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. Passionate about sharing the deep technical knowledge and experience to help others, through the real-world articles!

5 thoughts on “SharePoint Online: Find All Active Directory Security Groups in a Site Collection

  • Thanks for the great script! DO you know how you would handle the script if you are being throttled by Microsoft with a 429 error? “the remote server returned a 429 error” Also is there a way to exclude planners?

    Thank you!

    Reply
  • Is it possible to identity which subsite the group is used on?

    Reply
  • Hi Salaudeen! This is a great script, but I was wondering if it possible to add a couple of components…
    1. Is there a way to filter out certain site templates, like GROUP#0, APPCATALOG#0, etc? I’ve tried a few filters on Get-SPOSite, but I’m just not getting it right.
    2. For the output, how would you add the site template? I tried adding another noteproperty for $Site.Template, but it’s not displaying in the csv.

    Thank you!

    Reply
    • You can exclude certain site templates as:
      #Get All Site Collections from the tenant – Excluding Certain site templates
      $Sites = Get-SPOSite -Limit ALL | Where {$_.Template -notin (“GROUP#0″,”APPCATALOG#0”)}

      $Site.Template gets you the template of the site collection – Make sure you have the latest SharePoint Online PowerShell Module installed.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *