Generate an Organization Tree Map and Entity List via Microsoft Graph

Understanding an organization's structure is foundational to governance, onboarding, access reviews, and communications planning. While Microsoft 365 stores rich organizational data — user profiles, manager relationships, departments, and group memberships — there is no built-in admin view that presents a complete hierarchical tree alongside an entity inventory.

This recipe walks through generating that view programmatically by combining data from /users, /users/{id}/manager, and /groups in Microsoft Graph. The result is a visual reporting-line tree plus a consolidated list of departments and groups that exist in the tenant.

When to run this recipe

• During annual access reviews or governance audits
• Before a reorganization, merger, or acquisition
• When onboarding new HR or IT leadership who need to understand the org
• As part of a readiness assessment for Conditional Access, Sensitivity Labels, or lifecycle workflows that depend on department/manager attributes
• To detect data quality issues (missing managers, missing departments, orphaned users)

After completing this recipe you will have:

• A hierarchical ASCII/text tree showing every reporting chain in the tenant, starting from users with no manager (CEOs, contractors, service accounts)
• A complete list of departments with employee counts per department
• An inventory of all Microsoft 365 Groups and Security Groups, including descriptions and type
• Summary statistics: total users, top-level managers, department count, group count
• A downloadable organization-map.txt report suitable for sharing with HR, leadership, or auditors

You can feed the same data into Visio, Mermaid diagrams, or BI tools for richer visualizations.

Data accuracy

• The tree is only as good as the manager attribute in Entra ID. Many tenants have incomplete manager data — users without managers will appear as roots, producing a flat-looking tree.
• Users with department left blank will be grouped under "No Department".
• Guest users (userType = Guest) are included by default. Filter them out if you only want employees.

Performance and throttling

• Fetching manager relationships requires one API call per user. For tenants with 10,000+ users, batch requests or use $expand=manager to reduce call volume.
• Microsoft Graph throttles at roughly 10,000 requests / 10 minutes per app per tenant. Implement retry with exponential backoff on HTTP 429.

Privacy and handling

• The output contains PII (names, titles, email addresses, reporting lines). Treat the file as confidential and store it only in approved locations.
• Do not email the raw report externally — it can reveal sensitive org structure to attackers for spear-phishing.

Do not

• Do not mutate user or group data from this recipe — it is read-only by design.
• Do not rely on the tree for compliance attestations without validating manager data against HRIS first.