AADGroupNotFound
Microsoft Entra or Microsoft Graph returns group-not-found responses when the target group object cannot be resolved in the current tenant directory.
Last reviewed: March 5, 2026|Source-backed guidance under our editorial policy
Start Here
Use the closest compare guide, playbook, or adjacent error page to narrow the decision faster before you start changing production systems.
This page is part of the Error Reference library. Learn more about the project or report a correction.
What Does AAD Group Not Found Mean?
Group-based access and membership workflows are blocked because the referenced directory group identity cannot be resolved.
Common Causes
- -Group object ID is wrong, stale, or belongs to another tenant directory.
- -Group was deleted, renamed, or not fully propagated after synchronization changes.
- -Automation uses display-name search and resolves ambiguous or incorrect group objects.
- -Cross-tenant/B2B flows query a tenant that does not host the intended group.
How to Fix AAD Group Not Found
- 1Resolve and operate on groups using immutable object ID in the intended tenant.
- 2Validate group existence and lifecycle state before RBAC/policy assignments.
- 3Replace display-name-based lookups with deterministic object-ID mapping.
- 4Retry assignments only after group identity and tenant context are confirmed.
Step-by-Step Diagnosis for AAD Group Not Found
- 1Capture failing group identifier and API path used by the automation.
- 2Verify tenant context from token claims and compare with directory hosting the group.
- 3Inspect directory audit logs for recent group deletion, rename, or sync operations.
- 4Retest lookups using object ID and scoped Graph queries to eliminate ambiguity.
Group Identity and Lookup Integrity
- -Validate group ID source of truth (example: stale group ID cached after access model refactor).
- -Check display-name ambiguity risks (example: multiple groups share similar names and lookup picks wrong object).
Tenant Context and Directory Lifecycle Checks
- -Confirm directory target for cross-tenant operations (example: script queries home tenant instead of resource tenant group directory).
- -Audit group lifecycle transitions (example: group recreated with new object ID after accidental deletion).
Seen in Production
RBAC automation references legacy group ID after group recreation
Frequency: common
Example: Assignment API fails because old object ID no longer exists.
Fix: Update registry with new group object ID and rerun assignment workflow.
Cross-tenant onboarding script queries default tenant directory
Frequency: rare
Example: Expected external group cannot be found in queried tenant.
Fix: Switch to correct resource-tenant context and reissue group lookup.
Debugging Tools
- -Graph directory query logs
- -Entra group audit/change history
- -az ad group show / Graph Explorer
- -Token tenant and audience claim checks
How to Verify the Fix
- -Re-run group lookup and confirm object resolves with expected ID in target tenant.
- -Validate RBAC/group-membership workflows complete successfully after correction.
- -Ensure audit logs no longer contain repeated group-not-found failures.
How to Prevent Recurrence
- -Store group object IDs in versioned identity registry instead of relying on names.
- -Add tenant-context and object-existence checks before policy or role mutations.
- -Refresh identity caches after directory change events (rename/delete/recreate).
Pro Tip
- -treat group object IDs as immutable contracts; when a group is recreated, trigger automated downstream ID remapping before production jobs run.
Official References
Provider Context
This guidance is specific to Azure services. Always validate implementation details against official provider documentation before deploying to production.