Group Governance
How IdentityOps evaluates security group hygiene, surfaces ownership gaps, and detects governance issues across your Entra tenant.
Applies to: Starter+Module: Group Governance
Group Governance is available on the
Starter plan and above. Free plan users can upgrade in
Settings → Billing.
What the Groups page shows
The Groups page lists every security group in your tenant. Each group is assigned a hygiene score from 0 to 100 and categorized into Critical, Warning, or Healthy levels based on governance signals detected during scanning.
Data collected for each group includes display name, description, group type (security, Microsoft 365, distribution), membership rules for dynamic groups, member count, owner count, and the full membership list with member types (users, nested groups, service principals, devices).
Hygiene scoring
Every group receives a hygiene score from 0 to 100 based on multiple governance signals. Groups with more violations receive higher scores (worse hygiene). The score is deterministic and recalculated with each scan.
| Level | Meaning |
|---|
| CRITICAL | Multiple governance failures. Ownerless groups with critical role assignments, zombie groups, or service principal members. |
| WARNING | One or more hygiene signals that should be reviewed. Empty groups, missing descriptions, or naming violations. |
| HEALTHY | No hygiene issues detected. Group is well-maintained with owners, members, and proper naming. |
Hygiene signals
These are the individual governance issues that IdentityOps detects for each group. Multiple signals can apply to a single group, and each contributes to the overall hygiene score.
Ownerless (critical): Group has no owners and is actively used or has role assignments. Nobody is accountable for membership changes.
Ownerless (low-risk): Group has no owners but is empty or has minimal usage. Lower urgency, but should still be addressed.
Zombie group: Empty group with governance signals (naming conventions, descriptions) suggesting it once served a purpose but has been abandoned.
Empty group: Group has zero members. May be unused or misconfigured.
Excessive members: Group has an unusually high member count, which can indicate overly broad access grants.
Nested groups: Group contains other groups as members, creating indirect access chains that are difficult to audit.
Service principal members: Non-human identities (service principals) are members of the group, which may indicate unintended access grants.
Naming violation: Group name does not follow your organization’s naming conventions, making it harder to identify purpose and ownership.
No description: Group has no description set, reducing discoverability and making it harder for others to understand the group’s purpose.
Owner state classification
IdentityOps classifies each group's ownership into one of four states. This is more nuanced than a simple “has owners / doesn't have owners” check — it considers group usage, size, and role assignments to determine urgency.
1Owned
Group has one or more assigned owners who are accountable for membership and governance.
2Unowned (critical)
No owners assigned and the group is actively used, has role assignments, or contains sensitive members. Requires immediate attention.
3Unowned (low-risk)
No owners assigned but the group is empty or has minimal usage. Should be reviewed but is lower priority.
4System-managed
Group is managed by Microsoft or a system process. Owner assignment is not applicable.
View modes
The Groups page offers two view modes:
Simple view: Groups are organized by hygiene level (Critical, Warning, Healthy) with a risk queue showing the top 10 groups that need attention first.
Advanced view: Full table view with all groups, sortable columns, and detailed metadata. Useful for bulk review and export.
Actions you can take
IdentityOps is read-only — it never writes to your tenant. Actions either link you to the right place in Entra or help you triage within IdentityOps.
Filter by hygiene level: Quickly surface Critical or Warning groups that need attention first.
Search by name: Find specific groups by name across your entire tenant inventory.
Expand for details: Click any group to see its full hygiene signal list, membership breakdown, owners, and recommended actions.
Open in Entra: Jump directly to the group in the Entra Admin Center to make changes like assigning owners or updating membership.
IdentityOps Recommendation
Start with ownerless groups that have role assignments. These are your highest-risk governance gaps — they grant access without anyone accountable for who's in them.
Where teams usually go next