November 12, 2020

Export Office 365 Guest User Report with their Membership

by Kathy Cooper

5 min read

No Comments

Guest users are external user accounts that are allowed to use your Office 365 tenant’s resources. Guest users can have access to Microsoft Teams, SharePoint, Planner, Yammer, OneDrive, Microsoft 365 groups, etc. Beyond just granting access, it’s also important to safeguard your information by implementing robust guest sharing security measures in Microsoft 365.

How to add Guest Users to Office 365?

Guest users can be added to the Office 365 organization in multiple ways. In general,

  • You can add guest users by inviting them to join Microsoft 365 groups, Microsoft teams.
  • You can add guest users by sharing files/ folders to external users through SharePoint Online or OneDrive.

Guest users have #EXT# in their UPN .

For example, Bob from contoso.com was added to fabrikam.com as a guest user. Then Bob has following UPN: Bob_contoso.com#EXT#@fabrikam.com
You can use PowerShell or Audit Log search to find out who created guest users in Azure AD. The audit log retention period depends on the license plan you are using

How to get all guest users in an Office 365 tenant?

Since guest users can be created by admins, group owners. and endusers, it is necessary to identify guest user accounts in the organization. An admin can view guest users in the organization either through Microsoft 365 admin center or Azure AD admin center.

However, admin centers can’t show necessary attributes like Guest account creation time, account age, and who created the guest account, etc. Also, Microsoft has not provided any option to download the guest user report with membership for further analysis.

So, what is the best way to list all guest users in the Office 365 tenant? As usual, PowerShell is the best option.

Export Office 365 Guest Users Report with PowerShell

The PowerShell cmdlet ‘Get-AzureADUseris used to retrieve guest users in the tenant. To list all the guest accounts, run the following.

The result will give plenty of attributes that may unnecessary, and it will not show the guest users’ group membership info. To find guest users’ membership, you need to use the Get-AzureADUSerMembership’ cmdlet.

Note: Since Azure AD and Msol PowerShell module is under deprecation, you can use the Microsoft Graph PowerShell cmdlets like Get-MgUser.

To view all the guest users with MS Graph, run the below cmdlet.

To ease your work, we have created a PowerShell script to export Guest users along with their most required attributes.

Note: We have updated our script to use MS Graph PowerShell

Download Script: GuestUserReport.ps1

Script Highlights:

  • The script uses MS Graph PowerShell and installs MS Graph PowerShell SDK (if not installed already) upon your confirmation.
  • It can be executed with certificate-based authentication (CBA) too.
  • The script can be executed with MFA enabled account too.
  • Exports report results as a CSV file.
  • Allows to use filter to get stale guest accounts.
  • Allows to use filter to get recently created guest users.
  • The script is scheduler friendly.

Office 365 Guest User Report – Sample Output

The exported guest user and their membership report looks like the screenshot below:

Guest user report

The Guest user/External users report contains the following attributes:

  • Guest User Name (I.e., Display name)
  • User Principal Name
  • Email Address
  • Company
  • Creation Time
  • Account Age
  • Creation Type
  • Invitation Acceptance Status
  • Group Membership

How to Export Azure AD Guest User Report?

Step 1: Download the script.

Step 2: Start Windows PowerShell as Administrator.

Step 3: To view all the guest users and their info, run the script as follows.

You can use the above syntax to execute the script with both MFA and non-MFA account.

More Use-cases of Office 365 Guest User Report:

The script supports advanced filtering params which, helps you to get the report as per your need.

Get Stale Guest User Account Report:

As an admin, it is a good approach to cleanup old guest users if they left the organization or not needed further. It will help to revoke the access given. Depending on your organization’s requirement, you can get the list of stale guest accounts based on the account creation time.

To get old guest accounts, run the script with StaleGuests param, which will return guest accounts that are older than the given number of days.

This will export Guest users that are older than a year (I.e., 365 days). By referring to this report, admins can remove the old guest accounts.

Recently Created Guest User Report:

Office 365 has not given any option to view who created the guest account. So, the admin needs to monitor the newly created guest accounts.

To view the newly created guest accounts, run the script with RecentlyCreatedGuests param, which will return guest accounts that are created within the specified days.

The above code will export all the guest users that are created in the past 7 days.

Schedule Azure Guest User Report to run Periodically:

As said earlier, this script is scheduler friendly. To automate the script execution, you can use the Certificate-based Authentication(CBA) by specifying the TenantId, ClientId, and CertificateThumbprint parameters in the following format:

To use certificate-based authentication, you must register an app in Azure AD. For app authentication, you can choose to use a certificate authority (CA) or create a self-signed certificate, which is more cost-effective.

Get More Detailed Guest User Report:

To get detailed guest user reports based on

  • Guest user type
    • External guest user
    • Internal guest user
    • Guest users in SharePoint sites
    • Guest users in Teams and Private channels
  • Group membership
    • Guest user group membership
    • Groups with guest users
  • Guest user audit
    • Audit guest creation
    • Guest user activity
    • Guest user sign-ins
    • Guest user group membership changes

you can take a look at AdminDroid Microsoft 365 reporting and auditing tool.

Office 365 guest user report

Audit M365 External user activities dashboard

AdminDroid offers 120+ reports and dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, and more. The Free Azure AD Reporter edition doesn’t have any restrictions in reporting functionalities such as customization, scheduling, and exporting.

Additionally, AdminDroid provides 1800+ pre-built reports and 30+ smart dashboards to know about your Office 365 environment at a glance. This tool provides reports on Office 365 reporting, auditing, analytics, usage statistics, security & compliance, etc and alerts on critical M365 activities. Download AdminDroid Microsoft 365 reporting software and see how it helps for you.

I hope this blog will you manage and reporting guest accounts in your organization. If you have any queries, reach us through the comment section.

Share article