How to find the owner of an Azure AD group using PowerShell scripts
Azure Active Directory (Azure AD) groups are used by administrators to simplify administration of users and their permissions efficiently. Owners of Azure AD groups have administrative control over that specific group and are responsible for managing the group's membership, settings, and other configurations. To ensure controlled delegation of administrative tasks and limited exposure to security risks, owners of a group need to be monitored and their permissions are to be managed regularly. The cmdlet in the table below can be used for retrieving group owners of an Azure AD group. ADManager Plus, a unified Active Directory, Microsoft 365, Exchange, and Google Workspace management and reporting tool, can also be used to accomplish this task.
The following table is a comparison on how to find the owners of an Azure AD group using PowerShell scripts and ADManager Plus.
Azure PowerShell
Steps to find the owners of an Azure AD group using PowerShell scripts:
- Note down the required parameters (eg: -All, -ObjectId, -SearchString, -filter) by which the list of groups needs to be listed.
- Obtain the exact values of the parameters chosen.
- Execute the following PowerShell script and get the list of entities in a group.
Copied
Get-AzureADGroupOwner
-ObjectId "<GroupID>" -All
Click to copy entire script
where <GroupID> refers to the ObjectID of the group for which the owners need to be listed.
ADManager Plus
Steps to find the owners of an Azure AD group using ADManager Plus:
- Log in to ADManager Plus and navigate to Microsoft 365 tab > Reports > Group Reports > Groups with owners.
- Under Groups with owners, select the desired Microsoft 365 tenant from the Microsoft Tenant drop-down list and click Generate Now.
- After the report is generated, select the filter icon, fill in the desired filters and click Apply.
Limitations of using PowerShell scripts to find the owners of an Azure AD:
- Administrators must have sufficient permissions to read memberships of Azure AD groups if they wish to use the above-mentioned PowerShell script. However, one wrong move from the administrator can affect the security posture of your organization.
- Only technicians with PowerShell expertise can execute this command.
- PowerShell scripts are time-consuming and can affect productivity.
- The value of the parameters used for filtering the entity list should be exact by default.
- The result of this script is also a GUID, which is not convenient for technicians to use, since they would have to search for the object with that specific GUID to know its properties.
Benefits of using ADManager Plus:
- The ability to access group memberships of Azure AD groups can be granularly delegated to technicians without altering their permissions elsewhere.
- ADManager Plus comes with an intuitive UI and does not demand any knowledge in PowerShell.
- Fine tune your conditions with various attribute-based filters like Display Name, Group Type, Last Directory Sync Time, and Proxy Address.
- Add multiple conditions and decide on what basis they can be used to filter your reports.
- Reports generation comes built-in with ADManager Plus and can be performed at the click of a button.