Get-EntraGroup

Module:

Microsoft.Entra.Groups Module v1.3

Gets a group.

Get-EntraGroup

 [-Top <Int32>]
 [-All]
 [-Filter <String>]
 [-Property <String[]>]
 [-HasErrorsOnly]
 [-HasLicenseErrorsOnly]
 [<CommonParameters>]

Get-EntraGroup

 [-SearchString <String>]
 [-All]
 [-Property <String[]>]
 [-HasErrorsOnly]
 [-HasLicenseErrorsOnly]
 [<CommonParameters>]

Get-EntraGroup

 -GroupId <String>
 [-All]
 [-Property <String[]>]
 [<CommonParameters>]

Get-EntraGroup

 -Property <String[]>
 -AppendSelected
 [-GroupId <String>]
 [-Top <Int32>]
 [-All]
 [-Filter <String>]
 [-SearchString <String>]
 [-HasErrorsOnly]
 [-HasLicenseErrorsOnly]
 [<CommonParameters>]

The Get-EntraGroup cmdlet gets a group in Microsoft Entra ID. Specify the ObjectId parameter to get a specific group.

You can filter results to show only groups with issues by using the HasErrorsOnly parameter to find groups with service provisioning errors, or the HasLicenseErrorsOnly parameter to find groups with license assignment errors. These filtering options help administrators identify groups that require attention.

Connect-Entra -Scopes 'GroupMember.Read.All'
Get-EntraGroup

DisplayName Id MailNickname Description
----------- -- ------------ -----------
SimpleTestGrp aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb NickName
SimpleGroup bbbbbbbb-1111-2222-3333-cccccccccccc NickName
testGroupInAU10 cccccccc-2222-3333-4444-dddddddddddd testGroupInAU10 testGroupInAU10
My new group dddddddd-3333-4444-5555-eeeeeeeeeeee NotSet New created group
SimpleGroup eeeeeeee-4444-5555-6666-ffffffffffff NickName

This example demonstrates how to get all groups from Microsoft Entra ID.

Connect-Entra -Scopes 'GroupMember.Read.All'
$group = Get-EntraGroup -Filter "DisplayName eq 'Azure Panda'"
Get-EntraGroup -GroupId $group.Id

DisplayName Id MailNickname Description GroupTypes
----------- -- ------------ ----------- ----------
Crimson Eagle pppppppp-4444-0000-8888-yyyyyyyyyyyy crimsoneaglegroup Crimson Eagle Group {Unified}

This example demonstrates how to retrieve specific group by providing ID.

Connect-Entra -Scopes 'GroupMember.Read.All'
Get-EntraGroup -Filter "groupTypes/any(g:g eq 'Unified')" -Top 4

DisplayName Id MailNickname GroupTypes
----------- -- ------------ ----------
Contoso Group hhhhhhhh-3333-5555-3333-qqqqqqqqqqqq contosogroup {Unified}
Crimson Eagle pppppppp-4444-0000-8888-yyyyyyyyyyyy crimsoneagle {Unified}
Bold Falcon tttttttt-0000-3333-9999-mmmmmmmmmmmm boldfalcon {Unified}
Misty Fox qqqqqqqq-5555-0000-1111-hhhhhhhhhhhh mistyfox {Unified}

This example retrieves Microsoft 365 (Unified) groups. You can use -Limit as an alias for -Top.

Connect-Entra -Scopes 'GroupMember.Read.All'
Get-EntraGroup -Filter "DisplayName eq 'Azure Panda'"

DisplayName Id MailNickname Description GroupTypes
----------- -- ------------ ----------- ----------
Azure Panda qqqqqqqq-5555-0000-1111-hhhhhhhhhhhh azurepanda Azure Panda {Unified}

In this example, we retrieve group using the Display Name.

Connect-Entra -Scopes 'GroupMember.Read.All'
Get-EntraGroup -SearchString 'New'

DisplayName Id MailNickname Description GroupTypes
----------- -- ------------ ----------- ----------
New Sparkling Deer bbbbbbbb-5555-5555-0000-qqqqqqqqqqqq newsparklingdeer New Sparkling Deer Group {Unified}
New Golden Fox xxxxxxxx-8888-5555-9999-bbbbbbbbbbbb newgoldenfox New Golden Fox {DynamicMembership}

This example demonstrates how to retrieve groups that include the text new in their display names from Microsoft Entra ID.

Connect-Entra -Scopes 'GroupMember.Read.All'
$allGroups = Get-EntraGroup -All
$groupsWithoutOwners = foreach ($group in $allGroups) {
 $owners = Get-EntraGroupOwner -ObjectId $group.Id
 if ($owners.Count -eq 0) {
 $group
 }
}
$groupsWithoutOwners | Format-Table DisplayName, Id, GroupTypes

DisplayName Id GroupTypes
----------- -- ----------
My new group aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb {}
HelpDesk admin group eeeeeeee-4444-5555-6666-ffffffffffff {}

This example demonstrates how to retrieve groups without owners. By identifying ownerless groups, IT admins can improve overall governance and operational efficiency.

Connect-Entra -Scopes 'GroupMember.Read.All'
$allGroups = Get-EntraGroup -All
$groupsWithoutMembers = foreach ($group in $allGroups) {
 $members = Get-EntraGroupMember -ObjectId $group.Id
 if ($members.Count -eq 0) {
 $group
 }
}
$groupsWithoutMembers | Format-Table DisplayName, Id, GroupTypes

DisplayName Id GroupTypes
----------- -- ----------
My new group aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb {}
HelpDesk admin group eeeeeeee-4444-5555-6666-ffffffffffff {}

This example demonstrates how to retrieve groups without members. By identifying memberless groups, IT admins can identify and clean up unused or obsolete groups that no longer serve a purpose.

Connect-Entra -Scopes 'GroupMember.Read.All'
Get-EntraGroup -Property Id,DisplayName, SecurityEnabled,Visibility,GroupTypes | Select-Object Id,DisplayName, SecurityEnabled,Visibility,GroupTypes | Format-Table -AutoSize

Id DisplayName SecurityEnabled Visibility GroupTypes
-- ----------- --------------- ---------- ----------
aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb SimpleGroup False Public {Unified}
eeeeeeee-4444-5555-6666-ffffffffffff My new group False Private {Unified}
bbbbbbbb-5555-5555-0000-qqqqqqqqqqqq HelpDesk admin group True {}

This example demonstrates how to return only a specific property of a group. You can use -Select alias or -Property.

Connect-Entra -Scopes 'GroupMember.Read.All'
Get-EntraGroup -GroupId 'aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb' -Property IsSubscribedByMail -AppendSelected | Select-Object Id, DisplayName, MailEnabled, Visibility, IsSubscribedByMail | Format-Table -AutoSize

Id DisplayName MailEnabled Visibility IsSubscribedByMail
-- ----------- --------------- ---------- ----------
aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb SimpleGroup False Public False

This example demonstrates how to append a selected property to the default properties.

Connect-Entra -Scopes 'GroupMember.Read.All'
Get-EntraGroup -HasErrorsOnly

DisplayName Id MailNickname Description GroupTypes ServiceProvisioningErrors
----------- -- ------------ ----------- ---------- -------------------------
Problem Group aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb problemgroup Group with errors {Unified} {@{ErrorDetail=...}}
Error Test Group bbbbbbbb-1111-2222-3333-cccccccccccc errortestgroup Another problem group {} {@{ErrorDetail=...}}

This example demonstrates how to retrieve only groups that have service provisioning errors. The HasErrorsOnly parameter filters the results to show only groups with issues that need attention.

Connect-Entra -Scopes 'GroupMember.Read.All'
Get-EntraGroup -HasLicenseErrorsOnly

DisplayName Id MailNickname Description GroupTypes
----------- -- ------------ ----------- ----------
License Issue Group cccccccc-2222-3333-4444-dddddddddddd licenseissuegroup Group with license errors {Unified}
Failed License Group dddddddd-3333-4444-5555-eeeeeeeeeeee failedlicensegroup License assignment failed {}

This example demonstrates how to retrieve only groups that have members with license errors. This is useful for identifying groups where license assignment has failed and needs administrative attention.

Connect-Entra -Scopes 'GroupMember.Read.All'
Get-EntraGroup -SearchString 'Test' -HasErrorsOnly

DisplayName Id MailNickname Description GroupTypes ServiceProvisioningErrors
----------- -- ------------ ----------- ---------- -------------------------
Test Error Group bbbbbbbb-1111-2222-3333-cccccccccccc testerrorgroup Test group with errors {} {@{ErrorDetail=...}}

This example demonstrates how to combine the search functionality with error filtering to find specific groups that have both a particular name pattern and service provisioning errors.

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.