Groups and Permissions
If you use Microsoft Graph Data Connect for SharePoint, you know that the datasets from SharePoint will give detailed permissions, including which users have access to sites, libraries, folders and files.
However, permissions are frequently granted to Microsoft Entra ID (new name for Azure Active Directory) groups. To fully understand how many users or which specific users have access, you need to fully expand group memberships, you need to know the members of each Active Directory group.
Lucky for us, there are datasets in Microsoft Graph Data Connect to help you. This includes datasets with Group Details, Group Owners and Group Members. In the Oversharing Template provided for Microsoft Graph Data Connect for SharePoint, we include sample code on how to pull these datasets and use them to expand group membership.
Counting Group and Group Members
To get going with Microsoft Graph Data Connect, most tenants want to estimate the size of the datasets required to estimate their Azure bill. For the main SharePoint datasets, I wrote a blog post about that. See Microsoft Graph Data Connect for SharePoint FAQ: How can I estimate my Azure bill?
After reading that post, you might still be wondering about Active Directory groups, which are not explored there. I certainly got a lot of questions about it, so I spent some time on this. I am not an Active Directory specialist, but I will give it a shot.
Azure Portal
A simple way to find the number of Active Directory groups is to go to the Azure Portal, find the “Microsoft Entra ID” service (they are no longer showing as Active Directory). The “Overview” will show you something like this:
The number in the red box shows how many AAD groups (Microsoft Entra ID groups) your tenant has. That would be the number of GroupDetails_v0 objects you should expect from MGDC.
I did not find a mechanism in the Admin Center to estimate the number of MGDC objects you will get from the GroupOwners_v0 and GroupMembers_v0 datasets. I can only say that it will be higher than the number of groups. Each group typically has only a few owners, but the number of group members could vary quite a bit.
PowerShell
Outside the Admin Center UI, there is the option to use PowerShell to get that group data. To do this, open an elevated PowerShell prompt and type these cmdlets:
Install-Module AzureAD
Connect-AzureAD
Get-AzureADGroup -All $true -ErrorAction Continue | Select AADObjectId | Measure-Object
Get-AzureADGroup -All $true -ErrorAction Continue | Get-AzureADGroupOwner -All $true -ErrorAction Continue | Select AADObjectId | Measure-Object
Get-AzureADGroup -All $true -ErrorAction Continue | Get-AzureADGroupMember -All $true -ErrorAction Continue | Select AADObjectId | Measure-ObjectThe first line loads the Azure AD module. It will tell you that the PSGallery is an untrusted repository and will require confirmation.
The second line connects to Azure AD. You will need to provide your user credentials (username and password) for the Microsoft Entra ID domain you will query.
The next three lines will give you a count all the groups, all group owners and all the group members. You need to specify the “-All” parameter because by default the output is limited to 100 items. The “-ErrorAction” parameter tells PowerShell to continue running if you run into an error.
Notes:
- The last two commands could take quite a while to finish in a large tenant and will use a fair amount of memory.
- The last two commands might fail with an expired token error if it takes too long to run.
- For these very large tenants, you might need to output the list of groups to a file first, then split the list into multiple smaller lists and feed those to the last two commands.
Conclusion
I hope this helps you find the number of groups in your Microsoft Entra ID. Keep in mind that another option is to actually pull the datasets in Microsoft Graph Data Connect. These are the options I could find, short of resorting to writing code and calling APIs.
If you know a better or simpler way to do it, please share in the comments.
Jose Barreto's Blog 