all_groups.py script allows to enumerate all Microsoft 365 Groups in a Azure AD tenant with their metadata:
- visibility: public or private
- email address
- Teams enabled?
- SharePoint URL (e.g. for Teams shared files)
All of this, even for private Groups! Read more about this on my blog article “Risks of Microsoft Teams and Microsoft 365 Groups”
reporting.py script will take the JSON output from
all_groups.py and generates a CSV files allowing to quickly identify sensitive private or public groups.
- Download the repository
- Install requirements with
pip install -r requirements.txt
You will need a valid account on the tenant. Different authentication methods are supported:
- via login + password (MFA not supported)
python all_groups.py -u firstname.lastname@example.org -p MyPassw0rd
- via device authentication, which supports MFA via the browser. Launch then follow instructions
python all_groups.py --device-code
Other methods are also offered. You can read the ROADTools documentation or run the script without any argument to get help.
That’s all, you don’t need more options! The script output will be in
all_groups.json in the current directory.
Then, if you want a nicer and more concise output from this JSON, use
reporting.py to transform it:
It automatically takes
all_groups.json in the current directory, and outputs to
all_groups.csv in the same directory.
This is only an educational purposes only I am not responsible for further activities
Join my forum and learn more ethical hacking and penetration testing
Get me at