Cross-Group Membership Report

Overview

A scheduled cloud flow that produces a weekly user x Office 365 Group membership matrix as a CSV file in SharePoint. Each row of the export represents one user-to-group relationship, so a single user appearing in five groups produces five rows. Open the CSV in Excel and pivot, filter, or join against your license inventory to drive license reclamation, access reviews, and cleanup of stale group memberships.

The flow runs automatically every Monday at 06:00 UTC, enumerates all Microsoft 365 groups in the tenant, walks each group's membership, writes a single timestamped CSV file to a configurable SharePoint folder, and emails a summary of the run (groups enumerated, total memberships, file name) to the configured recipient.

Use Case

This flow turns Microsoft 365 group membership into a flat, analyzable CSV so admins can run access reviews, license optimization passes, joiner/mover/leaver audits, HR org-chart reconciliation, and compliance evidence collection without manually exporting from the admin center each time.

The flow is ideal for teams that:

• Quarterly access reviews — pivot the CSV by Group Name to validate every member belongs in every group
• License optimization — join Group ID against your Azure AD licensing groups to find users in licensed groups who haven't logged in
• Joiner / Mover / Leaver audits — diff this week's CSV against last week's to catch unexpected adds or drops
• HR or department reorg validation — filter by group naming convention to confirm department membership matches the latest org chart
• Compliance evidence — drop the weekly CSVs into a retention-protected library for a point-in-time record of group access

Flow Architecture

Environment Variables

Connectors & Connections

Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.

Customization Guide

Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.

Deploy to your tenant

Import the solution package, then point each environment variable at your own values: SharePoint site root, server-relative report folder, notification mailbox, and the max-groups cap. Authorize the three connection references with a service account that holds Group.Read.All (Microsoft Graph) plus write permission to the report folder, then turn the flow On.

Run more often

In the Recurrence trigger, change frequency to Day or Hour and remove the weekDays parameter.

Filter to security/mail-enabled groups only

Add $filter: securityEnabled eq true and mailEnabled eq true as a parameter on the List All Groups action.

Filter to a single group prefix

Add $filter: startswith(displayName, 'dept-') to List All Groups — useful for narrow audits scoped to one naming convention.

Add columns to the CSV

Append fields to Init varCsvHeader and to the Append Member Row To Csv expression. The Graph members payload exposes jobTitle, department, accountEnabled, and more.

Write to Excel instead of CSV

Replace Save Csv To SharePoint with Excel Online AddRowToTable and remove the Init varCsvHeader / Init varCsvRows steps. Requires a pre-existing .xlsx with a defined Table.

Email the CSV as an attachment

Add an emailMessage/Attachments

Key Expressions

The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.

int(parameters('flowlibs_GroupMembershipMaxGroups'))

concat('Cross-Group-Membership-', formatDateTime(utcNow(), 'yyyyMMdd-HHmm'), '.csv')

replace(coalesce(items('For_Each_Member')?['displayName'], ''), '"', '""')

concat(variables('varCsvHeader'), variables('varCsvRows'))

variables('varMaxGroups')

items('For_Each_Group')?['id']