Find Cloud-Only Groups with Microsoft Graph PowerShell

Learn how to identify cloud-only groups in Microsoft Entra ID using Microsoft Graph PowerShell.

# Validated on Microsoft.Graph PowerShell SDK v2.29.1
$ErrorActionPreference = 'stop'
$requiredScopes = 'Group.Read.All'  

$ctx = Get-MgContext
if (-not $ctx -or ($requiredScopes | Where-Object { $ctx.Scopes -notcontains $_ })) {
    Connect-MgGraph -Scopes $requiredScopes -NoWelcome
}

# onPremisesSyncEnabled:
# 'true' if this group is synced from an on-premises directory;
# 'false' if this group was originally synced from an on-premises directory but is no longer synced;
# 'null' if this object has never been synced from an on-premises directory (default).

$params = @{
    'All'              = $true
    'PageSize'         = '999'
    'Filter'           = 'onPremisesSyncEnabled ne true'
    'ConsistencyLevel' = 'eventual'
    'CountVariable'    = 'groupCount'

}

$groups = Get-MgGroup @params
Loading...