How to Delete Orphaned Groups in Azure AD Using Microsoft Graph PowerShell

First, we need to install the Microsoft Graph PowerShell SDK, which replaced the deprecated Azure AD PowerShell module in 2024. Open PowerShell as Administrator and install the required modules.

# Check PowerShell version (must be 7.2 or higher)
$PSVersionTable.PSVersion

# Install Microsoft Graph PowerShell SDK
Install-Module Microsoft.Graph -Scope CurrentUser -Force

# Install specific modules for group management
Install-Module Microsoft.Graph.Groups -Scope CurrentUser -Force
Install-Module Microsoft.Graph.DirectoryObjects -Scope CurrentUser -Force

The installation may take several minutes as it downloads multiple sub-modules. You'll see progress indicators for each component being installed.

Verify the installation by checking the module version:

Get-Module Microsoft.Graph -ListAvailable | Select-Object Name, Version

Connect to Microsoft Graph using the appropriate scopes for group management. This replaces the old Connect-AzureAD command from the deprecated module.

# Connect to Microsoft Graph with group management permissions
Connect-MgGraph -Scopes "Group.ReadWrite.All", "Directory.ReadWrite.All", "GroupMember.ReadWrite.All"

# Verify connection and check current context
Get-MgContext | Select-Object Account, Scopes, TenantId

A browser window will open for authentication. Sign in with your Global Administrator or Groups Administrator account. After successful authentication, you'll see confirmation in the PowerShell console.

Confirm you're connected to the correct tenant:

# Display tenant information
Get-MgOrganization | Select-Object DisplayName, Id, VerifiedDomains

Now we'll identify orphaned groups that typically remain after removing Azure AD Connect or other synchronization tools. These groups often have specific characteristics that make them identifiable.

# Get all groups and filter for potential orphaned groups
$allGroups = Get-MgGroup -All -Property Id, DisplayName, Description, GroupTypes, SecurityEnabled, MailEnabled, OnPremisesSyncEnabled, CreatedDateTime

# Filter for groups that are likely orphaned (on-premises synced but no longer active)
$orphanedGroups = $allGroups | Where-Object {
    $_.OnPremisesSyncEnabled -eq $true -and
    $_.Description -like "*orphaned*" -or
    $_.DisplayName -like "*_*" -or
    $_.DisplayName -match "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"
}

# Display potential orphaned groups
$orphanedGroups | Select-Object DisplayName, Id, Description, CreatedDateTime | Format-Table -AutoSize

This command identifies groups with common orphaned characteristics: on-premises sync enabled, GUID-like names, or descriptions containing "orphaned".

For a more comprehensive search, check for groups with no members:

# Check for empty groups that might be orphaned
$emptyGroups = @()
foreach ($group in $allGroups) {
    $memberCount = (Get-MgGroupMember -GroupId $group.Id -All).Count
    if ($memberCount -eq 0) {
        $emptyGroups += $group
    }
}

$emptyGroups | Select-Object DisplayName, Id, CreatedDateTime | Format-Table -AutoSize

Before deleting any groups, create a comprehensive backup of their information. This is crucial for recovery if you accidentally delete the wrong groups.

# Create backup directory
$backupPath = "C:\AzureAD_GroupBackup_$(Get-Date -Format 'yyyyMMdd_HHmmss')"
New-Item -ItemType Directory -Path $backupPath -Force

# Export all group information to CSV
$allGroups | Export-Csv -Path "$backupPath\AllGroups_Backup.csv" -NoTypeInformation

# Export detailed information for each orphaned group
foreach ($group in $orphanedGroups) {
    $groupDetails = @{
        'GroupId' = $group.Id
        'DisplayName' = $group.DisplayName
        'Description' = $group.Description
        'GroupTypes' = $group.GroupTypes -join ','
        'SecurityEnabled' = $group.SecurityEnabled
        'MailEnabled' = $group.MailEnabled
        'CreatedDateTime' = $group.CreatedDateTime
        'OnPremisesSyncEnabled' = $group.OnPremisesSyncEnabled
    }
    
    # Get group members
    $members = Get-MgGroupMember -GroupId $group.Id -All
    $groupDetails['MemberCount'] = $members.Count
    $groupDetails['Members'] = ($members | ForEach-Object { $_.AdditionalProperties.displayName }) -join ';'
    
    # Export to individual JSON file
    $groupDetails | ConvertTo-Json | Out-File -FilePath "$backupPath\Group_$($group.DisplayName -replace '[^a-zA-Z0-9]', '_').json"
}

Write-Host "Backup completed at: $backupPath" -ForegroundColor Green

This creates a timestamped backup directory with comprehensive group information including members, properties, and metadata.

Verify the backup was created successfully:

Get-ChildItem $backupPath | Select-Object Name, Length, LastWriteTime

Perform final validation to ensure you're only deleting truly orphaned groups. This step prevents accidental deletion of active groups.

# Create validation report
$validationReport = @()

foreach ($group in $orphanedGroups) {
    $validation = @{
        'GroupName' = $group.DisplayName
        'GroupId' = $group.Id
        'MemberCount' = (Get-MgGroupMember -GroupId $group.Id -All).Count
        'HasOwners' = (Get-MgGroupOwner -GroupId $group.Id -All).Count -gt 0
        'LastActivity' = 'Unknown' # Microsoft Graph doesn't provide last activity directly
        'IsMailEnabled' = $group.MailEnabled
        'IsSecurityGroup' = $group.SecurityEnabled
        'OnPremisesSync' = $group.OnPremisesSyncEnabled
        'RecommendDelete' = $false
    }
    
    # Determine if group should be deleted based on criteria
    if ($validation.MemberCount -eq 0 -and 
        -not $validation.HasOwners -and 
        $validation.OnPremisesSync -eq $true) {
        $validation.RecommendDelete = $true
    }
    
    $validationReport += New-Object PSObject -Property $validation
}

# Display validation report
$validationReport | Format-Table GroupName, MemberCount, HasOwners, IsMailEnabled, RecommendDelete -AutoSize

# Show only groups recommended for deletion
$groupsToDelete = $validationReport | Where-Object { $_.RecommendDelete -eq $true }
Write-Host "Groups recommended for deletion: $($groupsToDelete.Count)" -ForegroundColor Yellow

Review the validation report carefully. Groups marked with RecommendDelete = $true meet the criteria for safe deletion.

Double-check specific groups manually:

# Manually inspect a specific group
$groupId = "your-group-id-here"
Get-MgGroup -GroupId $groupId | Select-Object DisplayName, Description, CreatedDateTime, OnPremisesSyncEnabled
Get-MgGroupMember -GroupId $groupId -All | Select-Object AdditionalProperties

Now we'll delete the validated orphaned groups using the Microsoft Graph PowerShell SDK. This replaces the deprecated Remove-AzureADGroup cmdlet.

# Delete orphaned groups with confirmation
$deletionLog = @()

foreach ($group in $groupsToDelete) {
    try {
        Write-Host "Attempting to delete group: $($group.GroupName)" -ForegroundColor Yellow
        
        # Delete the group
        Remove-MgGroup -GroupId $group.GroupId -Confirm:$false
        
        $logEntry = @{
            'GroupName' = $group.GroupName
            'GroupId' = $group.GroupId
            'DeletionTime' = Get-Date
            'Status' = 'Success'
            'Error' = $null
        }
        
        Write-Host "Successfully deleted: $($group.GroupName)" -ForegroundColor Green
        
    } catch {
        $logEntry = @{
            'GroupName' = $group.GroupName
            'GroupId' = $group.GroupId
            'DeletionTime' = Get-Date
            'Status' = 'Failed'
            'Error' = $_.Exception.Message
        }
        
        Write-Host "Failed to delete $($group.GroupName): $($_.Exception.Message)" -ForegroundColor Red
    }
    
    $deletionLog += New-Object PSObject -Property $logEntry
    Start-Sleep -Seconds 2  # Avoid API throttling
}

# Export deletion log
$deletionLog | Export-Csv -Path "$backupPath\DeletionLog.csv" -NoTypeInformation

# Display summary
$successCount = ($deletionLog | Where-Object { $_.Status -eq 'Success' }).Count
$failedCount = ($deletionLog | Where-Object { $_.Status -eq 'Failed' }).Count

Write-Host "\nDeletion Summary:" -ForegroundColor Cyan
Write-Host "Successfully deleted: $successCount groups" -ForegroundColor Green
Write-Host "Failed deletions: $failedCount groups" -ForegroundColor Red

For safer deletion with individual confirmation:

# Alternative: Delete with individual confirmation
foreach ($group in $groupsToDelete) {
    $confirmation = Read-Host "Delete group '$($group.GroupName)'? (y/N)"
    if ($confirmation -eq 'y' -or $confirmation -eq 'Y') {
        Remove-MgGroup -GroupId $group.GroupId
        Write-Host "Deleted: $($group.GroupName)" -ForegroundColor Green
    }
}

Verify that the orphaned groups have been successfully deleted and perform cleanup tasks.

# Verify groups are deleted
Write-Host "Verifying group deletions..." -ForegroundColor Cyan

$verificationResults = @()
foreach ($deletedGroup in ($deletionLog | Where-Object { $_.Status -eq 'Success' })) {
    try {
        $group = Get-MgGroup -GroupId $deletedGroup.GroupId -ErrorAction Stop
        $verificationResults += @{
            'GroupName' = $deletedGroup.GroupName
            'Status' = 'Still Exists'
            'Note' = 'Group was not deleted successfully'
        }
    } catch {
        $verificationResults += @{
            'GroupName' = $deletedGroup.GroupName
            'Status' = 'Deleted Successfully'
            'Note' = 'Group no longer exists in Azure AD'
        }
    }
}

# Display verification results
$verificationResults | ForEach-Object { New-Object PSObject -Property $_ } | Format-Table -AutoSize

# Check for any remaining orphaned groups
Write-Host "\nChecking for remaining orphaned groups..." -ForegroundColor Cyan
$remainingGroups = Get-MgGroup -All -Property Id, DisplayName, OnPremisesSyncEnabled | Where-Object {
    $_.OnPremisesSyncEnabled -eq $true -and
    $_.DisplayName -like "*_*"
}

if ($remainingGroups.Count -gt 0) {
    Write-Host "Found $($remainingGroups.Count) potentially orphaned groups remaining:" -ForegroundColor Yellow
    $remainingGroups | Select-Object DisplayName, Id | Format-Table -AutoSize
} else {
    Write-Host "No additional orphaned groups found." -ForegroundColor Green
}

# Generate final report
$finalReport = @{
    'TotalGroupsProcessed' = $orphanedGroups.Count
    'SuccessfulDeletions' = $successCount
    'FailedDeletions' = $failedCount
    'BackupLocation' = $backupPath
    'ProcessingDate' = Get-Date
}

$finalReport | ConvertTo-Json | Out-File -FilePath "$backupPath\FinalReport.json"

Write-Host "\nCleanup completed. Final report saved to: $backupPath\FinalReport.json" -ForegroundColor Green

Disconnect from Microsoft Graph when finished:

# Disconnect from Microsoft Graph
Disconnect-MgGraph
Write-Host "Disconnected from Microsoft Graph" -ForegroundColor Green