Delete User From Group
Removes a user from a group in Azure Active Directory.
Common Properties
- Name - The custom name of the node.
- Color - The custom color of the node.
- Delay Before (sec) - Waits in seconds before executing the node.
- Delay After (sec) - Waits in seconds after executing node.
- Continue On Error - Automation will continue regardless of any error. The default value is false.
info
If ContinueOnError property is true, no error is caught when the project is executed even if Catch node is used.
Inputs
- Access Id - The access ID from the Connect node. Optional if using direct credentials.
- Group Object Id - Group object ID of the target group. Example:
12345678-1234-1234-1234-123456789012 - User Id - User ID (object ID) of the user to remove from the group. Must be the object ID, not email address.
Options
Direct Credentials (optional - alternative to using Connect node):
- Tenant Id - Azure AD tenant ID (optional if using Access ID)
- Client Id - Azure AD application client ID (optional if using Access ID)
- Client Secret - Azure AD application client secret credential (optional if using Access ID)
Output
- Result - Operation result message, typically "Deleted Successfully." if the operation succeeded.
How It Works
The Delete User From Group node:
- Authenticates using either the access ID or direct credentials
- Sends a DELETE request to Microsoft Graph API to remove the member
- Azure AD removes the user from the group
- Returns a success message
note
You must use the user's object ID (GUID), not the user principal name (email). Use Get User to get the object ID from an email address.
Examples
Remove User from Group
Remove a user from a group using object IDs:
// Using Connect node
access_id = message.access_id
group_object_id = "12345678-1234-1234-1234-123456789012"
user_id = "abcdef12-3456-7890-abcd-ef1234567890"
// Delete User From Group node executes
// Output
result = "Deleted Successfully."
Remove User by Email
Get user object ID from email, then remove from group:
access_id = message.access_id
user_email = "john.doe@contoso.onmicrosoft.com"
group_id = "12345678-1234-1234-1234-123456789012"
// Step 1: Get user object ID
// Get User node
// User Id: user_email
user_object_id = result.id
// Step 2: Remove from group
// Delete User From Group node
// Group Object Id: group_id
// User Id: user_object_id
console.log("Removed " + user_email + " from group")
Remove Multiple Users from Group
Remove several users from the same group:
group_id = "12345678-1234-1234-1234-123456789012"
// User emails to remove
user_emails = [
"user1@contoso.onmicrosoft.com",
"user2@contoso.onmicrosoft.com",
"user3@contoso.onmicrosoft.com"
]
removed_users = []
failed_users = []
// Loop through users
for (email of user_emails) {
try {
// Get user object ID
// Get User node
// User Id: email
user_obj_id = result.id
// Remove from group
// Delete User From Group node
// Group Object Id: group_id
// User Id: user_obj_id
removed_users.push(email)
console.log("Removed: " + email)
// Delay between removals
// Wait 0.5 seconds
} catch (error) {
failed_users.push({email: email, error: error.message})
console.log("Failed: " + email)
}
}
console.log("Removed: " + removed_users.length)
console.log("Failed: " + failed_users.length)
Remove User from Multiple Groups
Remove a single user from multiple groups:
user_email = "john.doe@contoso.onmicrosoft.com"
// Get user object ID first
// Get User node
// User Id: user_email
user_obj_id = result.id
// Groups to remove user from
group_ids = [
"12345678-1234-1234-1234-123456789012",
"abcdef12-3456-7890-abcd-ef1234567890",
"fedcba98-7654-3210-fedc-ba9876543210"
]
// Remove from each group
for (group_id of group_ids) {
try {
// Delete User From Group node
// Group Object Id: group_id
// User Id: user_obj_id
console.log("Removed from group: " + group_id)
// Delay
// Wait 0.5 seconds
} catch (error) {
console.log("Failed for group: " + group_id)
}
}
Offboarding Automation
Remove departing employee from all groups:
// Departing employee
departing_email = "leaving.employee@contoso.onmicrosoft.com"
// Get user object ID
// Get User node
// User Id: departing_email
user_obj_id = result.id
// Get all user's groups
// You might need to query user's memberOf or list all groups and check membership
// For this example, remove from known groups
offboarding_groups = [
"all-employees-group-id",
"department-group-id",
"project-team-group-id"
]
console.log("Offboarding user from " + offboarding_groups.length + " groups")
// Remove from each group
for (group_id of offboarding_groups) {
try {
// Delete User From Group node
// Group Object Id: group_id
// User Id: user_obj_id
console.log("Removed from group: " + group_id)
} catch (error) {
console.log("Not a member or error: " + group_id)
}
}
console.log("Offboarding complete")
Clean Up Group Membership
Remove users who shouldn't be in a group:
group_id = "12345678-1234-1234-1234-123456789012"
// Authorized members
authorized_emails = [
"authorized1@contoso.onmicrosoft.com",
"authorized2@contoso.onmicrosoft.com"
]
// Get authorized user IDs
authorized_ids = []
for (email of authorized_emails) {
// Get User node
// User Id: email
authorized_ids.push(result.id)
}
// List Group Members node
// Group Object Id: group_id
// Find unauthorized members
for (member of result.value) {
if (member["@odata.type"] === "#microsoft.graph.user") {
if (!authorized_ids.includes(member.id)) {
// Delete User From Group node
// Group Object Id: group_id
// User Id: member.id
console.log("Removed unauthorized user: " + member.userPrincipalName)
}
}
}
Conditional Removal Based on User Properties
Remove users from group based on department change:
group_id = "engineering-group-id"
// List Group Members node
// Group Object Id: group_id
// Check each member
for (member of result.value) {
if (member["@odata.type"] === "#microsoft.graph.user") {
// Get full user details
// Get User node
// User Id: member.id
// Check if user still belongs in engineering
if (result.department !== "Engineering") {
// Delete User From Group node
// Group Object Id: group_id
// User Id: member.id
console.log("Removed " + result.displayName + " (moved to " + result.department + ")")
}
}
}
Remove from Group Before Deletion
Clean up group memberships before deleting a user:
user_email = "to.delete@contoso.onmicrosoft.com"
// Get user object ID
// Get User node
// User Id: user_email
user_obj_id = result.id
// List of groups (or query user's memberOf)
groups_to_check = [
"group-id-1",
"group-id-2",
"group-id-3"
]
// Remove from all groups
for (group_id of groups_to_check) {
try {
// Delete User From Group node
// Group Object Id: group_id
// User Id: user_obj_id
console.log("Removed from group: " + group_id)
} catch (error) {
// User might not be a member, continue
}
}
// Now safe to delete user
// Delete User node
// User Id: user_obj_id
Verify and Remove
Check membership before removing:
user_email = "john.doe@contoso.onmicrosoft.com"
group_id = "12345678-1234-1234-1234-123456789012"
// Get user object ID
// Get User node
// User Id: user_email
user_obj_id = result.id
// List Group Members node
// Group Object Id: group_id
// Check if user is a member
is_member = false
for (member of result.value) {
if (member.id === user_obj_id) {
is_member = true
break
}
}
if (is_member) {
// Delete User From Group node
// Group Object Id: group_id
// User Id: user_obj_id
console.log("User removed from group")
} else {
console.log("User is not a member")
}
Tips for Effective Use
- Object ID required: Must use user object ID, not email address
- Get user first: Use Get User node to convert email to object ID
- Error handling: Use Try-Catch to handle not-member errors
- Check first: List members before removing to verify membership
- Bulk operations: Add delays between operations
- Logging: Log all membership changes for audit
- Verification: List members after removing to verify success
- Idempotent: Removing a non-member may return an error
Common Errors and Solutions
"Group Object Id cannot be empty"
Cause: The Group Object Id input was not provided.
Solution: Provide a valid group object ID:
group_object_id = "12345678-1234-1234-1234-123456789012"
"User Id cannot be empty"
Cause: The User Id input was not provided.
Solution: Provide a valid user object ID:
user_id = "abcdef12-3456-7890-abcd-ef1234567890"
"Response Status is not OK - User is not a member"
Cause: The user is not a member of the group.
Solution: Check membership before removing:
// List Group Members node first
// Check if user is a member
// Only remove if currently a member
"Invalid user ID format"
Cause: Used email address instead of object ID.
Solution: Get object ID first:
// Get User node
// User Id: "john.doe@contoso.onmicrosoft.com"
user_obj_id = result.id
// Now use object ID
// Delete User From Group node
// User Id: user_obj_id
"Either Client Secret with Tenant ID and Client ID, or Access ID must be provided"
Cause: Neither access ID nor complete credentials were provided.
Solution:
// Option 1: Use Connect node
access_id = message.access_id
// Option 2: Provide all credentials
tenant_id = "your-tenant-id"
client_id = "your-client-id"
// Set Client Secret option from vault
Best Practices
- Get object ID: Always use Get User to convert email to object ID
- Check membership: List members before removing to verify membership
- Error handling: Use Try-Catch for graceful error handling
- Logging: Log all membership removals for audit trails
- Bulk operations: Add delays to avoid throttling
- Verification: Verify group and user exist before removing
- Idempotency: Design flows to handle not-member scenarios
- Testing: Test with a small group before bulk operations
- Offboarding: Remove from all groups during user offboarding
- Documentation: Document group membership policies and changes
Related Nodes
- Connect - Establish Azure AD connection
- Get User - Get user object ID from email
- Get Group - Verify group exists
- List Group Members - Check current members
- Add User To Group - Add members
- Delete User - Delete users