![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 19%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,454 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello @Delroy McKenzie (IT Services) ,
Microsoft 365 groups are Unified groups which can be managed in a better way through exchange powershell . Azure AD powershell module does not have as good cmdlets for managing Unified groups. I checked your requirement and tried in my lab and was able to delete all the guest users from Microsoft 365 groups. Using the following script. The script worked in my lab however you would need to consider some conditions and prerequisites. The below statements explain the complete logic and pre-requisites to run the provided script properly.
- You require to have administrator right on the tenant you are running this script.
- You must have ExchangeOnline Management powershell Module installed on the machine. If you do not have it , please start a powershell window on your machine with administrator privileges and install using Install-Module ExchangeOnlineManagement
- You also require to be enabled for remote management of Exchange online in your environment . If not then use the following to have this enabled. Please contact either the global administrator of your azure AD tenant or the Exchange online admin for the tenant. And then run the following for your userprinciplename. In this example below i have used o365user@Company portal .com . You need to change this to your own ID.
Set-User -Identity o365user@contoso.com -RemotePowerShellEnabled $true
- It assumes that All your groups have same suffix. In my case I had created both groups with Extra Suffix. You have also mentioned that you have some group suffix which is common I assume. If not then you may need to find a pattern on the basis of which the script can be modified again.
-
- Every guest user always have #EXT# appended to their Alias so they are easy to find out this way.
- The script will import the ExchangeOnlineManagement module and collect your credentials for use within the script.
- The script first collects and filters all the M365 groups / Unified Groups which have Extra suffix in them and stores them in an array named $UGroups.
- Then for each of those M365 groups ($ug) in the array , it tries to find all the members and save it in another array $UGmembers
- This is again fed to another foreach loop which checks each of the members($U) in the array against the if condition specified which is $U.Alias -Like "*#EXT#"
- Then it will write to the powershell screen about the user being removed and it will prompt for removal. You can click yes/No to remove the said user which will then continue the inner foreach loop to run.
- Thus once removal of all guests from first group is done , it will move to the next group and so on.
Import-Module ExchangeOnlineManagement $creds = Get-Credential Connect-ExchangeOnline -Credential $creds $UGroups = Get-UnifiedGroup | Where-Object {$_.Name -like "*Extra*"} ForEach ($ug in $Ugroups) { $UGmembers = Get-UnifiedGroupLinks -Identity $ug.DisplayName -LinkType Members ForEach ($U in $UGmembers) { If ($U.Alias -Like "*#EXT#") { Write-Host "Removing"$U.PrimarySmtpAddress Remove-UnifiedGroupLinks -Identity $ug.Identity -LinkType Members -Links $U.PrimarySmtpAddress } } }
There are two caveats that I was not able to solve .
- Specifying -Confirm:$false in the command Get-UnifiedGroupLinks -Identity $ug.DisplayName -LinkType Members does not work as intended in suppressing the confirmation prompt for every member being removed. For some reason it stops working if I enable to skip confirmation prompt .
- If any external User have been converted to Member from Guest UserType then they would also get removed because the #EXT# will always remain in the details for those users even though their UserType has been converted to Member.
Hope the above helps you with your requirement. In case the information provided in this post is useful to you and helps you , please do accept this post as answer so that it helps other members of the community with similar answers and also improves the relevancy of this question. If you still have any further doubts or you get any error while executing it , please do post in comments with the errors and we will continue to help you further.
Thank you.
