Monitoring office 365 users’ activity helps to identify unauthorized and malicious activities performed in Office 365 tenants. As an admin, often you may encounter a situation to track particular user activity or admin activity. In such a case, activity reports under Microsoft 365 admin center can’t give enough details.
How to Create an Activity Report for a User?
To track user activity, you can either use an audit log search or PowerShell.
Search the audit log in the compliance center: Unified audit log helps to view users’ activity across Office 365. Also, you can download the audit log search results to a CSV file. However, you can’t view the required data like operation status (Whether the action is succeeded or failed), workload at a glance. Those attributes are formatted as the JSON object, which needs to be parsed for further information.
Track user activity with PowerShell: With ever-changing Microsoft 365 admin portals and UI, most admins prefer to work with PowerShell. Search-UnifiedAuditLog cmdlet helps to search the unified audit log. This log contains events from multiple office 365 workloads such as Exchange Online, SharePoint Online, Azure Active Directory, OneDrive for Business, Microsoft Teams, and other Microsoft 365 services.
Audit Office 365 User Activity Report with PowerShell:
Getting Audit logs using the Search-UnifiedAuditLog is not an easy task. If you don’t retrieve the data properly, you will end up with data loss.
Considering all the cases, we have created a PowerShell script that will export Office 365 user’s activity report to a CSV file.
Download Script: UserActivityReport.ps1
Script Highlights:
- The script uses modern authentication to connect to Exchange Online.
- The script can be executed with MFA enabled account too.
- Exports report results to CSV file.
- Allows you to generate a user activity report for a custom period.
- Automatically installs the EXO V2 module (if not installed already) upon your confirmation.
- The script is scheduler friendly. I.e., Credential can be passed as a parameter instead of saving inside the script.
Office 365 User Activity Report – Sample Output:
The exported user activity report contains the following attributes: Activity Time, User Name, Operation, Result, Workload and Detailed Audit Data.
Note: Since some workloads doesn’t have Result status column, it shown as empty.
Microsoft 365 User Activity Report – Script Execution Steps:
Step 1: Download the script.
Step 2: Start Windows PowerShell as an Administrator.
Step 3: To run this script, you can choose any one of the methods below.
Method 1: Execute the script with a non-MFA account
1 |
./UserActivityReport.ps1 -UserID John@Contoso.com -Default |
Method 2: Execute the script using an MFA account
1 |
./UserActivityReport.ps1 -UserID John@Contoso.com -MFA -Default |
To know more about how to connect exchange online PowerShell with MFA, refer to our blog Connect Exchange Online PowerShell with MFA.
Method 3: Execute the script by explicitly mentioning credentials (Scheduler friendly).
1 |
./UserActivityReport.ps1 -UserID John@Contoso.com -AdminName Admin@Contoso.com -Password XXX -Default |
Unlock Full potential of “O365 User Activity PowerShell Script”:
- Export Office 365 user’s activity history for the past 90 days
- Audit Office 365 users’ activity within a particular interval
- Get a monthly user activity report
- Schedule user activity report
Export Office 365 user’s activity history for the past 90 days:
Since Search-UnifiedAuditLog has past 90 days data, we can get a maximum of the last 90 days user’s activity using our script. To export Office 365 user activity for the past 90 days, run the script as mentioned below.
1 |
./UserActivityReport.ps1 -UserID John@Contoso.com -Default |
Note: If a user assigned with Office 365 E5 or Microsoft 365 E5 or Microsoft 365 Compliance or E5 Discovery and Audit add-on license, then you can generate audit log for more than 90 days. In that case, you can use –StartDate and –EndDate params to specify time range.
Audit Office 365 user’s activity within a particular interval
You can generate an activity report for a custom period by mentioning –StartDate and –EndDate params.
Using these params, you can generate an Office 365 user’s audit report for the last 7 days, 30 days, 90 days, or any other required period.
1 |
./UserActivityReport.ps1 -UserID John@Contoso.com -StartDate 07/24/20 -EndDate 07/31/20 |
Monitor admin activity with PowerShell:
When a suspicious account is found, it’s necessary to identify who created that user account. If you discover that the admin account has been compromised, it is essential to track the admin’s activity and monitor all the actions performed by them. You can audit admin activity by passing the admin identity in the –UserID param.
1 |
./UserActivityReport.ps1 -UserID Admin@contoso.com -Default |
The exported report contains Admin’s activity for the past 90 days. Additionally, if you wish, you can leverage this dedicated PowerShell script to export Microsoft 365 admin activities for 180 days.
Track external user activity with PowerShell:
You can audit external user activities by passing external user identity in -UserID param.
1 |
./UserActivityReport.ps1 -UserID Emma_fabrikam.com#ext#@contoso.com -Default |
The exported external user activity report contains Emma’s last 90 days activities.
Schedule user activity report:
Since this Search-UnifiedAuditLog can take user’s audit data for the last 90 days, you may require old audit data for analysis. In that case, scheduling will help you to keep the audit log for more than 90 days.
To run a PowerShell script task from the scheduler, you can use below the format.
1 |
./UserActivityReport.ps1 -UserID John@Contoso.com -AdminName admin@contoso.com -Password XXX -Default |
Get a monthly user activity report:
To get a monthly report for user activity, you can execute the script as follow.
1 |
./UserActivityReport.ps1 -StartDate ((Get-Date).AddDays(-30)) -EndDate (Get-Date) -UserID John@contoso.com |
The above method would be useful in scheduling.
You can also refer our dedicated script on Office 365 user email activity and Office 365 user logon history report for further analysis.
Monitor Office 365 Users’ Activities in a Few Mouse Clicks:
To get more detailed report on users’
- Login activities
- Sent and received emails count and details
- Mailbox activities such as email deletions, accessing another user’s mailbox, etc
- SharePoint file and folder accesses
- File sharing with internal and external users
- OneDrive File access and sharing
- Teams chat and meeting usage and many more
you can take a look at AdminDroid Microsoft 365 reporting software.
Additionally, AdminDroid provides 1600+ pre-built reports and 20 smart visually appealing dashboards to know about your Office 365 environment at a glance. This tool provides reports on Office 365 reporting, auditing, analytics, usage statistics, security & compliance, etc.
Besides, AdminDroid offers 100+ reports and a handful of dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, Subscription Usage, and more. The free version of the tool offers full reporting and auditing functionality, with no limitations on customization, scheduling, or exporting. You can try the free Office 365 reporting tool from AdminDroid to see how it can benefit you.
I hope this blog is useful to audit office 365 user activities in your organization. If you have any queries, you can reach us through the comment section.