How To Delete Orphaned Groups in Azure AD PowerShell
Using PowerShell, you can delete orphaned groups in Azure AD. I will explain how to remove groups from Azure AD that were synchronized into your tenant but are left behind after removing Azure AD Connect.
After you remove the Azure AD Connect, you discover that your Azure AD has many orphaned groups that no longer exist on-premises Active Directory. These groups serve no purpose and hence you can safely delete them.
Here is an example of orphaned groups existing in your Azure AD. You can find all the orphaned groups by logging in to Azure Portal > Groups.
You cannot make any changes to these orphaned groups. If you select any of the orphaned group, there is no option to delete. You cannot delete these orphaned groups from the Azure Portal GUI, but you can delete them using Azure AD PowerShell.
You try to manually manage or remove objects that were created through directory synchronization from Azure Active Directory (Azure AD). As per Microsoft, you will have to manually delete the orphaned objects in the following cases.
- Case 1 – The on-premises AD DS is no longer available. Therefore, you can’t manage or delete the object from the on-premises environment.
- Case 2 – You deleted an object from the on-premises AD DS. However, the object wasn’t deleted from your cloud service organization. This is unexpected behavior.
When you attempt to delete a user account from Microsoft 365, it fails with an error. Here is the solution for couldn’t delete this user because the account is synchronized.
How to Delete Orphaned Groups in Azure AD
Let’s look at the steps to delete orphaned groups in Azure AD.
To manage users and groups in Azure via PowerShell, you need to install the Azure Active Directory PowerShell Module.
Open an elevated Windows PowerShell command prompt (run Windows PowerShell as an administrator). Run the following command to install the Microsoft Azure Active Directory Module for Windows PowerShell.
Install-Module -Name MSOnline
Once you have installed the Azure AD PowerShell module, run the command Connect-MsolService
.
This command connects to Azure AD. Sign-in to your Azure AD tenant using an account with “Global admin” role assigned. You must be a tenant administrator (i.e. global administrator) to successfully establish a connection to your Microsoft 365 tenant using PowerShell.
Once you have successfully signed in to Azure AD using PowerShell, let’s find the groups present in Azure AD.
Run the following PowerShell command to find all the groups in Azure AD.
Get-MsolGroup
The output should now display all the groups present in Azure AD along with their ObjectID, DisplayName, GroupType and Description.
Now you can delete orphaned groups in Azure AD using the following PowerShell command.
Get-MsolGroup -SearchString "DisplayName" | Remove-MsolGroup
In the command, substitute the DisplayName with orphaned group name. You will be asked for a confirmation to continue with the delete operation. Select Y to delete the orphaned group.
The Remove-MSolGroup command deletes the group from the Azure AD.
If you want to delete all the orphaned groups in Azure AD, you can run the following PowerShell command.
Get-MsolGroup | Remove-MsolGroup -F
Once you delete the orphaned groups, run the command Get-MsolGroup
, and now it shouldn’t return any groups. This also means you have deleted orphaned groups from Azure AD successfully.
Now let’s confirm if the orphaned groups are deleted from Azure AD tenant. In the Azure Portal, go to Groups, and now you see all the orphaned groups are removed from Azure AD.
Delete Azure AD Groups using PowerShell
When I removed the tenant from Azure Active Directory, I found some groups in Azure AD that were not deleted. These groups were synchronized from the on-premises AD server. Here is another way to delete the Azure AD groups using PowerShell. The Remove-AzureADGroup cmdlet removes a group from Azure Active Directory (AD).
The below screenshot shows there are three groups that needs to be deleted. When you select the group, the delete option is greyed out and hence you have to use PowerShell to delete them.
Launch the Azure Cloud Shell and wait for it to load. Now run the command connect-azuread. Once the command is executed successfully, you can delete the groups using the following command.
Remove-AzureADGroup -ObjectId 'specify the object of the group'
After you run the above command, wait for few seconds while the group is deleted in the background.
Need more help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.