Remove a User from a Microsoft 365 / Entra ID Group

Group membership in Microsoft 365 / Entra ID drives access to shared mailboxes, Teams, SharePoint sites, licenses (via group-based licensing), and Conditional Access policy scope. When a user changes roles, leaves a team, or is offboarded from a specific business function, removing them from the appropriate group is a standard access-hygiene task.

This recipe covers removing a single user from a single group — the most common helpdesk request. It applies equally to security groups, Microsoft 365 groups, and mail-enabled security groups. It does not cover dynamic groups (membership there is rule-based and cannot be edited directly) or on-premises-synced groups (those must be edited in on-prem Active Directory).

• The specified user is no longer a member of the specified group.
• Any group-delivered access (shared resources, licenses assigned via group, CA policy scope) is revoked on the next token refresh.
• An audit trail entry exists in the Entra audit log showing who performed the removal and when.

Before you remove

• Confirm the group source. If the group is synced from on-premises AD (onPremisesSyncEnabled = true), the change must be made in AD — cloud-side removals will be overwritten at the next sync cycle.
• Dynamic groups cannot be edited manually. If the group has a membership rule, you must change the user's attributes (e.g., department) so they no longer match the rule.
• Group-based licensing. If the group assigns a license, removing the user may immediately revoke that license. Confirm the user has alternate license coverage if they still need the service.
• Last owner rule. For Microsoft 365 groups, do not remove the only remaining owner without assigning a replacement — the group becomes unmanaged.
• Token latency. Access revocation is not instantaneous. Existing tokens remain valid for up to an hour. For urgent revocation (e.g., termination), also revoke the user's refresh tokens.