How To Delete Orphaned Groups in Azure AD PowerShell

Using PowerShell, you can delete orphaned groups in Azure AD. I will explain how to remove groups from Azure AD that were synchronized into your tenant but are left behind after removing Azure AD Connect.

After you remove the Azure AD Connect, you discover that your Azure AD has many orphaned groups that no longer exist on-premises Active Directory. These groups serve no purpose and hence you can safely delete them.

Here is an example of orphaned groups existing in your Azure AD. You can find all the orphaned groups by logging in to Azure Portal > Groups.

You cannot make any changes to these orphaned groups. If you select any of the orphaned group, there is no option to delete. You cannot delete these orphaned groups from the Azure Portal GUI, but you can delete them using Azure AD PowerShell.

Orphaned Groups in Azure AD
Orphaned Groups in Azure AD

You try to manually manage or remove objects that were created through directory synchronization from Azure Active Directory (Azure AD). As per Microsoft, you will have to manually delete the orphaned objects in the following cases.

  • Case 1 â€“ The on-premises AD DS is no longer available. Therefore, you can’t manage or delete the object from the on-premises environment.
  • Case 2 â€“ You deleted an object from the on-premises AD DS. However, the object wasn’t deleted from your cloud service organization. This is unexpected behavior.

When you attempt to delete a user account from Microsoft 365, it fails with an error. Here is the solution for couldn’t delete this user because the account is synchronized.

How to Delete Orphaned Groups in Azure AD

Let’s look at the steps to delete orphaned groups in Azure AD.

To manage users and groups in Azure via PowerShell, you need to install the Azure Active Directory PowerShell Module.

Open an elevated Windows PowerShell command prompt (run Windows PowerShell as an administrator). Run the following command to install the Microsoft Azure Active Directory Module for Windows PowerShell.

Install-Module -Name MSOnline

Once you have installed the Azure AD PowerShell module, run the command Connect-MsolService.

This command connects to Azure AD. Sign-in to your Azure AD tenant using an account with “Global admin” role assigned. You must be a tenant administrator (i.e. global administrator) to successfully establish a connection to your Microsoft 365 tenant using PowerShell.

Connect to Azure AD using PowerShell
Connect to Azure AD using PowerShell

Once you have successfully signed in to Azure AD using PowerShell, let’s find the groups present in Azure AD.

Run the following PowerShell command to find all the groups in Azure AD.

Get-MsolGroup

The output should now display all the groups present in Azure AD along with their ObjectID, DisplayName, GroupType and Description.

Find Orphaned Groups in Azure AD PowerShell
Find Orphaned Groups in Azure AD PowerShell

Now you can delete orphaned groups in Azure AD using the following PowerShell command.

Get-MsolGroup -SearchString "DisplayName" | Remove-MsolGroup

In the command, substitute the DisplayName with orphaned group name. You will be asked for a confirmation to continue with the delete operation. Select Y to delete the orphaned group.

The Remove-MSolGroup command deletes the group from the Azure AD.

Delete Orphaned Groups in Azure AD PowerShell
Delete Orphaned Groups in Azure AD PowerShell

If you want to delete all the orphaned groups in Azure AD, you can run the following PowerShell command.

Get-MsolGroup | Remove-MsolGroup -F

Once you delete the orphaned groups, run the command Get-MsolGroup, and now it shouldn’t return any groups. This also means you have deleted orphaned groups from Azure AD successfully.

Delete Orphaned Groups in Azure AD PowerShell
Delete Orphaned Groups in Azure AD PowerShell

Now let’s confirm if the orphaned groups are deleted from Azure AD tenant. In the Azure Portal, go to Groups, and now you see all the orphaned groups are removed from Azure AD.

Delete Orphaned Groups in Azure AD PowerShell
Delete Orphaned Groups in Azure AD PowerShell

Delete Azure AD Groups using PowerShell

When I removed the tenant from Azure Active Directory, I found some groups in Azure AD that were not deleted. These groups were synchronized from the on-premises AD server. Here is another way to delete the Azure AD groups using PowerShell. The Remove-AzureADGroup cmdlet removes a group from Azure Active Directory (AD).

The below screenshot shows there are three groups that needs to be deleted. When you select the group, the delete option is greyed out and hence you have to use PowerShell to delete them.

Delete Azure AD Groups using PowerShell
Delete Azure AD Groups using PowerShell

Launch the Azure Cloud Shell and wait for it to load. Now run the command connect-azuread. Once the command is executed successfully, you can delete the groups using the following command.

Remove-AzureADGroup -ObjectId 'specify the object of the group'

After you run the above command, wait for few seconds while the group is deleted in the background.

Delete Azure AD Groups using PowerShell
Delete Azure AD Groups using PowerShell

6 Comments

  1. Avatar photo Schools Out says:

    Thank you exactly what i needed 🙂

  2. Avatar photo Rahul Dixit says:

    Remove-MsolGroup : You cannot delete this group.
    At line:1 char:58
    + … MsolGroup -SearchString “Nidd Transport EOL users” | Remove-MsolGroup
    + ~~~~~~~~~~~~~~~~
    + CategoryInfo : OperationStopped: (:) [Remove-MsolGroup], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.GroupDeletionNotAllowedException,Microsoft.On
    line.Administration.Automation.RemoveGroup

      1. In my case this error above occured because I assigned licenses by that group to the group members. After deleting all licenses (Azure Active Directory) from that group I was able to delete that group via Remove-MsolGroup command without errors.

        1. Thanks for this extra bit of info, worked like a charm after removing licenses.

  3. Is it possible to identity which groups are orphaned ?
    I have the same problem after I run “Disabled-DistrubtionGroup” om AD-security groups.

Leave a Reply

Your email address will not be published. Required fields are marked *