List a User's Group Memberships in Entra ID via Microsoft Graph

Knowing exactly which groups a user belongs to is foundational for access reviews, offboarding, troubleshooting permission issues, and license audits. In Entra ID (formerly Azure AD), a user's memberOf collection returns both group memberships (security groups, Microsoft 365 groups, distribution lists, dynamic groups) and directory role assignments in a single call.

Run this recipe when you need to:

• Investigate why a user has (or lacks) access to a resource
• Document group memberships before offboarding or role changes
• Identify unexpected privileged role assignments
• Verify dynamic group rules are assigning users correctly
• Support compliance or access-review requirements

After completing this recipe you will have:

• A complete list of groups the target user belongs to, including display names, IDs, and descriptions
• Visibility into any directory role assignments (e.g., Global Administrator, User Administrator)
• A repeatable method — GUI, API, or PowerShell — for answering the same question for any user
• Optionally, an exportable CSV of memberships for reporting or audit evidence

Things to watch for

• Direct vs transitive membership: /memberOf returns only direct memberships. Use /transitiveMemberOf to include nested group membership.
• Mixed object types: The response contains both #microsoft.graph.group and #microsoft.graph.directoryRole objects. Filter by @odata.type if you only want groups.
• Null display names: Directory roles often return null for displayName when using $select. Remove the $select or include it in the projection to get role names.
• Permissions: Reading another user's memberships requires at minimum GroupMember.Read.All or Directory.Read.All.
• PII / least privilege: Group memberships can reveal organizational structure. Limit who can run these queries at scale.