🏛️ Recipe · Microsoft 365 Governance

Audit Entra ID Groups and Distribution Lists: Find Duplicates, Empty, and Inactive Groups

Identify redundant, empty, and stale groups/DLs across Entra ID and Exchange Online to improve governance and reduce clutter

Complexity

Intermediate

Impact

governance + cleanup + reporting + access-management

Context

Why This Matters

Why audit your groups and distribution lists?

Over time, Microsoft 365 tenants accumulate a large number of Entra ID security groups, Microsoft 365 groups, and Exchange distribution lists (DLs). Many of these are created for short-term projects, departing teams, or ad-hoc needs — and then forgotten. The result is group sprawl: duplicate groups with confusing names, empty groups that still appear in address books, and inactive DLs that receive mail nobody reads.

Running a periodic audit helps you:

Identify duplicates (same or near-identical display name) that confuse end users and cause wrong-group mailings.
Find empty groups with zero members — often leftover from failed provisioning or deleted teams.
Flag inactive groups (no email, SharePoint, or Yammer activity in 60+ days) for archiving or deletion.

Run this audit quarterly, or before any tenant cleanup, license renegotiation, or migration project.

Expected Outcomes

What you'll have at the end

A full inventory of all groups in the tenant (Entra ID security, Microsoft 365 Unified, and mail-enabled/DLs) with display name, primary SMTP, type, and ID.
A list of duplicate display names (case-insensitive) with all matching group IDs.
A list of empty groups (member count = 0).
A list of inactive Microsoft 365 groups — no recorded activity in the last 60 days.
An exportable CSV report suitable for review with business owners before deletion.

Risks & Considerations

Warnings and gotchas

Do not delete groups immediately. Always confirm with the business owner before removing — some groups are used once a year (audit, compliance, year-end) and may appear inactive.
Report anonymization: By default, the tenant report setting displayConcealedNames is true, which masks group names in usage reports. Temporarily disabling it makes the audit usable — but always restore it afterwards to comply with your privacy policy.
Distribution Lists (classic Exchange DLs) are not fully represented in the Microsoft 365 Groups activity report. For pure Exchange DLs, message-trace data (Exchange Online PowerShell) is required to confirm real inactivity.
Security groups with no members may still be referenced in Conditional Access policies, SharePoint permissions, or app role assignments — deletion can break access. Always check references before removing.
Dynamic groups may temporarily have 0 members if the rule returns no match; do not treat these the same as static empty groups.

Required Permissions

Permission	Why It's Needed
Group.Read.All	List all groups and enumerate members to detect empty groups
Directory.Read.All	Read group type, mail-enabled, and security-enabled properties across the directory
Reports.Read.All	Read Microsoft 365 Groups activity usage reports to detect inactivity
ReportSettings.ReadWrite.All	Temporarily disable report anonymization so groups appear by name in activity reports

The fastest way to get this done — just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Audit all Entra ID groups and Exchange distribution lists in our tenant. Identify (1) duplicates by display name, (2) groups with zero members, and (3) Microsoft 365 groups with no activity in the last {inactive_days} days. Produce a CSV report for each category and recommend which ones are safe to delete.

Try in Dex CoAdmin