How to remove users from multiple Azure AD Groups?


For my customer there were many Modern Team Sites in the tenant. These sites had 4 to 5 users present in the Owners group. These users were added when the sites were originally created by a automated script. But later these users were not needed and must be removed from the Azure AD owners group. The following is the step by step solution and script to remove the users from owners group.

Step by Step Solution

Step # 1 Install PnP.PowerShell and run following command.

# Change your tenant name
Register-PnPAzureADApp -ApplicationName "MyPnPApplication" -Tenant "" -Username -DeviceLogin

The above command will prompt you to provide the device code and user credentials. It will also create PFX and CER certificates in the folder.

You will need to consent to the required permission. The following dialog box will consent the app. Click on Approve.

This created an Azure AD application in your tenant with the permissions for “Group.readWrite.All”, “User.ReadWrite.All”, “AllSites.FullControl”, “Site.FullControl.All” & “User.ReadWrite.All”.

Step # 2

First, create a CSV file named “teamSites.CSV”. Put all the site urls for the team sites.


Now execute the following script, modify the users2Remove array according to your users information. The script will read the above CSV file and iterate over each site and remove the users from the Azure AD owners group.

$Users2Remove = (

$ClientId = "7c244c08-9875-4ffe-b39d-34f9b6853f6b"
$Tenant = "" # replace your tenant name

Import-Csv C:\Contoso\teamSites.CSV | 
    ForEach-Object {
            $newSiteUrl = $_.SiteURL
            $newSiteConn = Connect-PnPOnline -ClientId $ClientId -Url $newSiteUrl -Tenant $tenant -CertificatePath 'MyPnPApplication.pfx' -ReturnConnection

            $splitedSiteUrls = $newSiteUrl -split "/"

            $relativeUrl = $splitedSiteUrls[$splitedSiteUrls.Length - 1]

            $owners = Get-PnPAzureADGroupOwner -Identity $relativeUrl 

            foreach($owner in $owners)  
                if ($owner.UserPrincipalName.Length -gt 0 ) 
                    if ( ( $Users2Remove -contains  $owner.UserPrincipalName ) -eq $true )
                        Remove-PnPAzureADGroupOwner -Identity $relativeUrl -Users $owner.UserPrincipalName
            $ErrorMessage = $_.Exception |  Out-String
            Write-Host $("Exception {0}" -f $ErrorMessage);
            Write-Host $("Disconnecting to {0}" -f $newSiteUrl);
            Disconnect-PnPOnline -Connection $newSiteConn
            Write-Host $("Disconnected to {0}" -f $newSiteUrl);


The above script is an automated ways to remove the users from the owners group from multiple team sites.

About Pankaj

I am a Developer and my linked profile is
This entry was posted in PnP.PowerShell. Bookmark the permalink.

1 Response to How to remove users from multiple Azure AD Groups?

  1. Pingback: How to remove SCA users from Site Collection Admins? | Pankaj Surti's Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s