Fix: M365 Group Not in Active Directory – Removal Guide

Fix: M365 Group Not in Active Directory – Removal Guide

Posted on 30 April 2025 by Beaming Support

When you, as a global administrator, attempt to modify the membership of a Microsoft 365 group that’s synchronised from your local network, you usually need to make those changes within your on-premises Active Directory on the Domain Controller. However, issues occur when this on-premises Active Directory group is missing – potentially due to a misconfiguration, accidental deletion, or a lingering problem from a previous synchronisation.

How to manually remove an on-premise synchronised group from M365.

 

First, we need to find the Object ID of the offending group in Microsoft 365, using PowerShell

  • Install and import the Microsoft Graph PowerShell Module
    1. Install-Module Microsoft.Graph
    2. $MaximumFunctionCount = 32768 (This is required as the Module exceeds the default 4096 functions)
    3. Import-Module Microsoft Graph
  • Connect to Microsoft Graph and assign correct permissions
    1. Connect-MgGraph -Scopes “Group.Read.All”
  • Find the Group ID for the orphaned group, using either of the below commands
    1. Get-MgGroup -Filter “DisplayName eq ‘Group Name'”
    2. Get-MgGroup -All
  • Now we have the Object ID we can go ahead and remove it from M365 using the MSOline PowerShell module
    1. Install-Module MSOnline
    2. Import-Module MSOnline
    3. Satisfy any MFA that is applied to the Global Administrators account.
    4. Remove-MsolGroup -Objectid “<ObjectID>
  • Confirm that the Orphaned Group has now been removed from the Tennant by refreshing the group list.
  • You can now recreate the group in the on-premise Active Directory and force a synchronisation to M365 with “Start-ADSyncSyncCycle -PolicyType Delta”, or if this is an email only group or distribution list you can create as a cloud only group and prevent this issue occurring in the future.