Using PowerShell, you can delete orphaned groups in Azure AD. I will explain how to remove groups from Azure AD that were synchronized into your tenant but are left behind after removing Azure AD Connect.
After you remove the Azure AD Connect, you discover that your Azure AD has many orphaned groups that no longer exist on-premises Active Directory. These groups serve no purpose and hence you can safely delete them.
Here is an example of orphaned groups existing in your Azure AD. You can find all the orphaned groups by logging in to Azure Portal > Groups.
You cannot make any changes to these orphaned groups. If you select any of the orphaned group, there is no option to delete. You cannot delete these orphaned groups from the Azure Portal GUI, but you can delete them using Azure AD PowerShell.
You try to manually manage or remove objects that were created through directory synchronization from Azure Active Directory (Azure AD). As per Microsoft, you will have to manually delete the orphaned objects in the following cases.
- Case 1 – The on-premises AD DS is no longer available. Therefore, you can’t manage or delete the object from the on-premises environment.
- Case 2 – You deleted an object from the on-premises AD DS. However, the object wasn’t deleted from your cloud service organization. This is unexpected behavior.
When you attempt to delete a user account from Microsoft 365, it fails with an error. Here is the solution for couldn’t delete this user because the account is synchronized.
How to Delete Orphaned Groups in Azure AD
Let’s look at the steps to delete orphaned groups in Azure AD.
To manage users and groups in Azure via PowerShell, you need to install the Azure Active Directory PowerShell Module.
Open an elevated Windows PowerShell command prompt (run Windows PowerShell as an administrator). Run the following command to install the Microsoft Azure Active Directory Module for Windows PowerShell.
Install-Module -Name MSOnline
Once you have installed the Azure AD PowerShell module, run the command
This command connects to Azure AD. Sign-in to your Azure AD tenant using an account with “Global admin” role assigned. You must be a tenant administrator (i.e. global administrator) to successfully establish a connection to your Microsoft 365 tenant using PowerShell.
Once you have successfully signed in to Azure AD using PowerShell, let’s find the groups present in Azure AD.
Run the following PowerShell command to find all the groups in Azure AD.
The output should now display all the groups present in Azure AD along with their ObjectID, DisplayName, GroupType and Description.
Now you can delete orphaned groups in Azure AD using the following PowerShell command.
Get-MsolGroup -SearchString "DisplayName" | Remove-MsolGroup
In the command, substitute the DisplayName with orphaned group name. You will be asked for a confirmation to continue with the delete operation. Select Y to delete the orphaned group.
The Remove-MSolGroup command deletes the group from the Azure AD.
If you want to delete all the orphaned groups in Azure AD, you can run the following PowerShell command.
Get-MsolGroup | Remove-MsolGroup -F
Once you delete the orphaned groups, run the command
Get-MsolGroup, and now it shouldn’t return any groups. This also means you have deleted orphaned groups from Azure AD successfully.
Now let’s confirm if the orphaned groups are deleted from Azure AD tenant. In the Azure Portal, go to Groups, and now you see all the orphaned groups are removed from Azure AD.