Introduction to Entra ID Group Insights
The Entra ID Group Insights represent a new preview feature that appeared in the Entra administration center in early February 2026, without prior official announcement. This solution aims to provide administrators with an overview of issues related to group management in their Microsoft 365 environment.
Preview Feature
Group Insights are currently available only in preview mode and require improvements before general availability.
Architecture and categorization of insights
The insights are organized into four main categories:
- Owners: Analysis of group governance
- Members: Statistics on group membership
- Lifecycle: Management of expiration and retention
- Security and Compliance: Application of security policies
Current interface limitations
One of the main weaknesses of this feature lies in the display of GUID identifiers rather than explicit group names. This approach significantly harms user experience, as administrators generally don't speak "fluent GUID".
Usability Issue
Displaying GUID identifiers instead of group names significantly limits the practical utility of insights for administrators.
Programmatic data retrieval
Access via Graph API
Group Insights data is accessible via the identityAnalytics endpoint of the Microsoft Graph API. Here's how to retrieve this information:
1# Retrieve insights via Graph API2$Uri = "https://graph.microsoft.com/beta/reports/identityAnalytics/groups"3[array]$Data = Invoke-MgGraphRequest -Uri $Uri -Method Get -OutputType PsObject | Select-Object -ExpandProperty Value4 5# Display group properties6$Data[0]Structure of returned data
Each entry in the array contains detailed information:
- tenantId: Tenant identifier
- calculatedDateTime: Date when insights were calculated
- createdDateTime: Date the group was created
- memberOwnerCount: Number of member owners
- guestOwnerCount: Number of guest owners
- transitiveUserCount: Total number of transitive users
- sensitivityLabelCount: Number of sensitivity labels applied
- assignedRoleCount: Number of assigned roles
Creation of enriched custom reports
Advanced PowerShell script for group analysis
To overcome the limitations of the native interface, here's a script that enriches insights data:
1# Custom analysis script for Group Insights2function Get-EnhancedGroupInsights {3 param(4 [string]$OutputFormat = "HTML"5 )6 7 # Retrieve insights8 $Uri = "https://graph.microsoft.com/beta/reports/identityAnalytics/groups"9 $InsightsData = Invoke-MgGraphRequest -Uri $Uri -Method Get -OutputType PsObject | Select-Object -ExpandProperty Value10 11 # Retrieve detailed group information12 $EnrichedData = @()13 foreach ($Insight in $InsightsData) {14 $GroupDetails = Get-MgGroup -GroupId $Insight.id -Property "DisplayName,Description,CreatedDateTime"15 16 $EnrichedData += [PSCustomObject]@{17 GroupName = $GroupDetails.DisplayName18 GroupId = $Insight.id19 CreatedDate = $Insight.createdDateTime20 MemberCount = $Insight.transitiveUserCount21 OwnerCount = $Insight.memberOwnerCount22 GuestCount = $Insight.guestTransitiveUserCount23 HasSensitivityLabel = $Insight.sensitivityLabelCount -gt 024 IsM365Group = $Insight.isCloudM365Group25 IsDynamic = $Insight.isDynamicGroup26 }27 }28 29 return $EnrichedData30}PowerShell Environment Configuration
Install and configure the Microsoft Graph PowerShell module:
1Install-Module Microsoft.Graph -Scope CurrentUser2Connect-MgGraph -Scopes "Group.Read.All", "Directory.Read.All"Running the Analysis Script
Launch the script to obtain enriched insights:
1$Results = Get-EnhancedGroupInsights2$Results | Export-Csv -Path "GroupInsights.csv" -NoTypeInformationGenerating HTML Reports
Create a formatted HTML report with enriched data:
1$HtmlReport = $Results | ConvertTo-Html -Title "Entra ID Group Insights Report"2$HtmlReport | Out-File "GroupInsightsReport.html"Comparative analysis of features
| Feature | Entra Interface | Custom Script |
|---|---|---|
| Display of names | No (GUID only) | Yes |
| Real-time data | No (daily processing) | Yes |
| Customization | Limited | Complete |
| Data export | No | CSV, HTML, Excel |
| In-depth analysis | Basic | Advanced |
Improvement perspectives
Expected evolutions
Microsoft will likely need to make several improvements before general availability:
- Identifier resolution: Display group names instead of GUIDs
- Contextual insights: Adaptation to specific tenant configurations
- Proactive alerts: Automatic notifications for critical issues
- PowerShell integration: Dedicated cmdlets for automation
Recommendation
While awaiting Microsoft improvements, develop your own analysis scripts to obtain actionable insights immediately.
Impact on group governance
Group Insights are part of a broader Microsoft 365 governance approach:
- Increased visibility over group usage
- Proactive identification of configuration issues
- License optimization through analysis of unused groups
- Enhanced security through anomaly detection
Practical PowerShell scripts
Identification of groups without owners
1# Detection of orphaned groups2$OrphanGroups = $InsightsData | Where-Object { $_.memberOwnerCount -eq 0 -and $_.servicePrincipalOwnerCount -eq 0 }3foreach ($Group in $OrphanGroups) {4 $GroupName = (Get-MgGroup -GroupId $Group.id).DisplayName5 Write-Output "Orphaned group detected: $GroupName ($($Group.id))"6}Analysis of groups with external guests
1# Groups containing guest users2$GroupsWithGuests = $InsightsData | Where-Object { $_.guestTransitiveUserCount -gt 0 }3$GroupsWithGuests | Sort-Object guestTransitiveUserCount -Descending | Select-Object id, guestTransitiveUserCountSensitivity label compliance report
1# Groups without sensitivity label2$UnlabeledGroups = $InsightsData | Where-Object { 3 $_.sensitivityLabelCount -eq 0 -and $_.isCloudM365Group -eq $true 4}5Write-Output "Number of M365 groups without label: $($UnlabeledGroups.Count)"Glossary of technical terms
Group Insights: Entra ID group analysis feature providing metrics on usage and governance.
IdentityAnalytics: Graph API endpoint allowing access to identity analysis data.
Transitive User Count: Total number of users with access to a group, including direct and indirect members.
Sensitivity Label: Data classification label applied to Microsoft 365 groups for information governance.
Dynamic Group: Group whose membership is automatically managed by rules based on user attributes.
