Monitoring Microsoft 365 users’ activity helps to identify unauthorized and malicious activities performed in M365 tenants. As an admin, often you may encounter a situation to track particular user activity or admin activity. In such a case, activity reports under Microsoft 365 admin center can’t give enough details.
How to Create an Activity Report for a User?
To track user activity, you can either use an audit log search or PowerShell.
Search the audit log in the compliance center: Unified audit log helps to view users’ activity across all Microsoft 365 services. Also, you can download the audit log search results to a CSV file. However, you can’t view the required data like operation status (Whether the action is succeeded or failed), workload at a glance. Those attributes are formatted as the JSON object, which needs to be parsed for further information.
Track user activity with PowerShell: With ever-changing Microsoft 365 admin portals and UI, most admins prefer to work with PowerShell. Search-UnifiedAuditLog cmdlet helps to search the unified audit log. This log contains events from multiple office 365 workloads such as Exchange Online, SharePoint Online, Entra, OneDrive for Business, Microsoft Teams, and other Microsoft 365 services.
Audit Microsoft 365 User Activity Report with PowerShell:
Getting Audit logs using the Search-UnifiedAuditLog is not an easy task. If you don’t retrieve the data properly, you will end up with data loss.
Considering all the cases, we have created a PowerShell script that will export Microsoft 365 user’s activity report to a CSV file.
Download Script: UserActivityReport.ps1
Script Highlights:
- Helps to track users activities up to 180 days.
- Allows you to generate a user activity report for a custom period.
- Exports report results to CSV file.
- Automatically installs the EXO PowerShell module (if not installed already) upon your confirmation.
- The script can be executed with MFA enabled account too.
- Supports certificate-based authentication too.
- The script is scheduler friendly.
Microsoft 365 User Activity Report – Sample Output:
The exported user activity report contains the following attributes: Activity Time, User Name, Operation, Result, Workload and Detailed Audit Data.
Note: Since some workloads doesn’t have Result status column, it shown as empty.
Microsoft 365 User Activity Report – Script Execution Steps:
To run this script, you can choose any of the methods below.
Method 1: Execute the script with MFA and non-MFA account
1 |
./UserActivityReport.ps1 |
The above format prompts you to enter a user ID to track activities. It then retrieves the activities performed by that specific user over the last 180 days.
Method 2: Execute the script by explicitly mentioning credentials.
1 |
./UserActivityReport.ps1-AdminName Admin@Contoso.com -Password XXX |
This method is exclusively for non-MFA accounts. To disable MFA for an individual user and execute the script, leverage Conditional Access.
Method 3: Execute the script using certificate.
1 |
./UserActivityReport.ps1 -UserID John@Contoso.com -ClientId <ClientId> -CertificateThumbprint <Certthumbprint> -Organization <Organization> |
To use certificate based authentication, you must register an app in Entra and use either a CA certificate or create a self-signed certificate.
Audit M365 User Activity Script – More Use Cases:
- Export user’s activity history for the past 180 days
- Audit Microsoft 365 user’s activity within a particular interval
- Monitor M365 admin activities
- Track External user activities
- Get a monthly user activity report
- Schedule user activity report
1. Export M365 user’s activity history for the past 90 days
To export user activity for the past 180 days, run the script as mentioned below.
1 |
./UserActivityReport.ps1 -UserID John@Contoso.com |
Note: If a user is assigned with Audit add-on license, you can generate audit logs for more than 180 days. In such cases, you can modify the script to adjust the time period validation accordingly.
2. Monitor Microsoft 365 user’s activity for a custom period
You can generate an activity report for a custom period by mentioning –StartDate and –EndDate params.
Using these params, you can generate an Office 365 user’s audit report for the last 7 days, 30 days, 90 days, or any other required period.
1 |
./UserActivityReport.ps1 -UserID John@Contoso.com -StartDate 07/24/20 -EndDate 07/31/20 |
3. Monitor M365 admin activities
When a suspicious account is found, it’s necessary to identify who created that user account. If you discover that the admin account has been compromised, it is essential to track the admin’s activity and monitor all the actions performed by them. You can audit admin activity by passing the admin identity in the –UserID param.
1 |
./UserActivityReport.ps1 -UserID Admin@contoso.com |
The exported report contains Admin’s activity for the past 180 days.
4. Track external user activity with PowerShell:
You can audit external user activities by passing external user identity in -UserID param.
1 |
./UserActivityReport.ps1 -UserID Emma_fabrikam.com#ext#@contoso.com |
The exported external user activity report contains Emma’s last 180 days activities.
5. Schedule user activity report:
Since this Search-UnifiedAuditLog can take user’s audit data for the last 180 days, you may require old audit data for analysis. In that case, scheduling will help you to keep the audit log for more than 180 days. You can either use Azure Automation or Task Scheduler to schedule the script.
To run a PowerShell script task from the scheduler, you can use below the format.
1 |
./UserActivityReport.ps1 -UserID John@Contoso.com -ClientId <ClientId> -CertificateThumbprint <Certthumbprint> -Organization <Organization> |
6. Get a monthly user activity report:
To get a monthly report for user activity, you can execute the script as follow.
1 |
./UserActivityReport.ps1 -StartDate ((Get-Date).AddDays(-30)) -EndDate (Get-Date) -UserID John@contoso.com |
The above format would be useful in scheduling. You can either use method 2 or 3 based on your needs.
You can also refer our dedicated script on Office 365 user email activity and Office 365 user logon history report for further analysis.
Monitor Office 365 Users’ Activities in a Few Mouse Clicks:
To get more detailed report on users’
- Login activities
- Sent and received emails count and details
- Mailbox activities such as email deletions, accessing another user’s mailbox, etc
- SharePoint file and folder accesses
- File sharing with internal and external users
- OneDrive File access and sharing
- Teams chat and meeting usage and many more
you can take a look at AdminDroid Microsoft 365 reporting software.
Additionally, AdminDroid provides 1900+ pre-built reports and 30 smart visually appealing dashboards to know about your Office 365 environment at a glance. This tool provides reports on Office 365 reporting, auditing, analytics, usage statistics, security & compliance, etc.
Besides, AdminDroid offers 120+ reports and a handful of dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, Subscription Usage, and more. The free version of the tool offers full reporting and auditing functionality, with no limitations on customization, scheduling, or exporting. You can try the free Office 365 reporting tool from AdminDroid to see how it can benefit you.
I hope this blog is useful to audit office 365 user activities in your organization. If you have any queries, you can reach us through the comment section.