When you, as a global administrator, attempt to modify the membership of a Microsoft 365 group that’s synchronised from your local network, you usually need to make those changes within your on-premises Active Directory on the Domain Controller. However, issues occur when this on-premises Active Directory group is missing – potentially due to a misconfiguration, accidental deletion, or a lingering problem from a previous synchronisation.

How to manually remove an on-premise synchronised group from M365.

First, we need to find the Object ID of the offending group in Microsoft 365, using PowerShell

• Install and import the Microsoft Graph PowerShell Module
  1. Install-Module Microsoft.Graph
  2. $MaximumFunctionCount = 32768 (This is required as the Module exceeds the default 4096 functions)
  3. Import-Module Microsoft Graph
• Connect to Microsoft Graph and assign correct permissions
  1. Connect-MgGraph -Scopes “Group.Read.All”
• Find the Group ID for the orphaned group, using either of the below commands
  1. Get-MgGroup -Filter “DisplayName eq ‘Group Name'”
  2. Get-MgGroup -All
• Now we have the Object ID we can go ahead and remove it from M365 using the MSOline PowerShell module
  1. Install-Module MSOnline
  2. Import-Module MSOnline
  3. Satisfy any MFA that is applied to the Global Administrators account.
  4. Remove-MsolGroup -Objectid “<ObjectID>
• Confirm that the Orphaned Group has now been removed from the Tennant by refreshing the group list.
• You can now recreate the group in the on-premise Active Directory and force a synchronisation to M365 with “Start-ADSyncSyncCycle -PolicyType Delta”, or if this is an email only group or distribution list you can create as a cloud only group and prevent this issue occurring in the future.