Managing group memberships in Microsoft 365 is a core part of any modern cloud environment. Groups not only control access to resources, but are also the basis for Teams, SharePoint sites, and other collaborative services. Removing members sounds trivial at first, but the reality is more complex. Different types of groups require different approaches, and the reliance on ownership makes the process error-prone. The aim is to develop a robust methodology that takes into account both the technical rules and the governance requirements.
Why member removal is complex
The complexity comes from the architecture of Microsoft 365. There are three relevant group types: classic security groups, Microsoft 365 groups, and mail-enabled security groups or distribution lists. While security groups are managed directly in Entra ID (formerly Azure AD), mail-enabled groups are located in the Exchange Online Directory Store (ExODS). This duality leads to the use of different cmdlets. For Exchange-based groups, Remove-DistributionGroupMember is responsible, while for Microsoft 365 groups, Remove-MgGroupMemberByRef from the Microsoft Graph PowerShell SDK is responsible.
The real challenge, however, lies with Microsoft 365 Groups. Strict rules apply here for the ownership structure: A group must never exist without owners. If you remove the last owner, a governance problem arises that neither the admin portal nor the standard cmdlets allow. Therefore, any automation must check whether the user to be removed is an owner and whether other owners exist.
Technical implementation with PowerShell
To make removal safe and efficient, a multi-step approach is required. First the group must be identified, then the owner list. The decision is then made as to whether the user can be removed. The logic is:
- Identify all owners of the group with Get-MgGroupOwner.
- Check to see if the user is on this list.
- If so, and he is the only owner, cancel the process.
- If so, and there are other owners, first remove the owner role with Remove-MgGroupOwnerByRef.
- Then remove the membership with Remove-MgGroupMemberByRef.
These steps can be encapsulated in a function that accepts parameters such as user ID, group ID, and display name. This makes the code reusable and clearly structured. The feature should include error handling to catch exceptions such as missing permissions or network issues.
An example:
function Remove-UserFromM365Group {
param (
[Parameter(Mandatory = $true)][string]$UserId,
[Parameter(Mandatory = $true)][string]$GroupId,
[Parameter(Mandatory = $true)][string]$GroupName
)
$Owners = Get-MgGroupOwner -GroupId $GroupId | Select-Object -ExpandProperty Id
if ($UserId -in $Owners) {
if ($Owners.Count -eq 1) {
Write-Host „Die Gruppe $GroupName hat nur einen Besitzer – Entfernen nicht möglich.“ -ForegroundColor Red
return
}
Remove-MgGroupOwnerByRef -DirectoryObjectId $UserId -GroupId $GroupId
}The function is deliberately kept simple to clarify the principles. In production environments, you should add logging, ErrorAction, and a return for status. It is also recommended to integrate with a script that handles multiple groups or completely cleans up a user’s memberships.
Governance and security
The technical implementation is only part of the solution. You need to make sure that the removal of members meets compliance requirements. In environments with Entra ID P1 licenses, ownership governance can automatically assign new owners when a group becomes ownerless. Without this function, the responsibility lies with you. A script that regularly identifies and reports groups without owners is therefore essential.
In addition, you should check the permissions for executing the cmdlets. The Microsoft Graph SDK requires the delegation or application of permissions such as Group.ReadWrite.All. These must be granted during the app registration process or via admin consent. Without these rights, the removal will fail.
Result
Removing members from Microsoft 365 Groups is not a simple deletion process, but a process that must respect the architecture and governance of the system. Distinguishing between group types, checking the ownership structure, and using the cmdlets correctly are critical to avoiding errors and compliance violations. With a well-structured PowerShell feature, you’ll save time, reduce manual errors, and ensure that groups remain functional.
The benefits are clear: automation replaces error-prone manual steps, increases security, and ensures consistency. At the same time, control remains with you, as the scripts are transparent and customizable. If you ignore this process, you risk not only chaos in group management, but also the loss of access rights for critical resources. Investing in a well-thought-out script therefore pays off in many ways – in stability, compliance and efficiency.
further links
| Source | Topic/Reference | URL |
|---|---|---|
| Microsoft Learn | Microsoft Graph PowerShell SDK | https://learn.microsoft.com/powershell/ |
| Office 365 for IT Pros | Group management and automation | https://office365itpros.com |
| Admin Magazine | PowerShell for Exchange and M365 | https://admin-magazin.de |
| GitHub | Sample Scripts for M365 Groups | https://github.com |
