Audit Office 365 External User Activities using PowerShell

Often organization involves sharing documents or collaborating with outsiders, like vendors, partners, or clients. Allowing external users to access the resources may lead to sensitive data leakage, security threats, and attacks. So, admins must track the external user activities in the organization to identify suspicious incidents and secure guest sharing in Microsoft 365.

External users have #EXT# in their UPN. For example, assume that Bob from fabrikam.com was added to contoso.com as a guest user. Then Bob has the following UPN: Bob_fabrikam.com#EXT#@contoso.com.

You can generate external users report to know the external/guest users available in your organization. If you found any suspicious account, you can track who created that external user through audit log search.

To audit external user activities, admins can use the audit log search or PowerShell.

Audit log search: Audit logs contains excessive noise, and there is no filtering option to retrieve external user activities. So, admins can probably go with PowerShell.

PowerShell: The PowerShell cmdlet Search-UnifiedAuditLog helps admins get external users’ activities, but it has a few limitations. Also, if you don’t retrieve the audit data properly, you will end up getting partial data.

To ease your work, we have created a PowerShell script with a solution for all the native audit log limitations. Our script helps to identify external users’ activities like

• Downloading sensitive files
• Illegal document/file modifications
• Confidential document access,
• Illicit resource sharing (i.e., Resource sharing by external users), etc.

Script Download: AuditExternalUserActivity.ps1

• The script uses modern authentication to connect to Exchange Online.
• The script can be executed with MFA enabled account too.
• Exports report results to CSV file.
• The script tracks all the external users or a specific user activity based on the input.
• Allows you to generate an activity report for a custom period.
• Automatically installs the EXO V2 module (if not installed already) upon your confirmation.
• The script is scheduler-friendly. I.e., Credential can be passed as a parameter instead of saving inside the script.

The exported user activity report contains the following attributes: Activity Time, External User Name, Operation, Accessed Resource, Resource Type, Workload, and Detailed Audit Data.

To run this script, you can choose any one of the methods below.

Method 1: Execute script with MFA and non-MFA account

Method 2: Execute script by explicitly mentioning credential (Scheduler friendly).

Note: If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work.

By default, our script supports multiple in-built filtering params to generate fine grained auditing reports. Using the script, you can

• Audit all the external users’ activities

• Monitor external user activity for a custom period

• Track specific external user’s activities

• Schedule external user activity report

• Get monthly report on external users’ activities

To track all the activities performed by the external users, run the script as follows.

The exported report contains the external users’ audit log for the last 90 days. You can also get a visual representation of users’ activities based on operations performed with Entra Workbooks. This will help you get the insights at a glance.

You can generate an activity report for a custom period by mentioning –StartDate and –EndDate params.

Using these params, you can generate an Office 365 user’s audit report for the last 7 days, 30 days, 90 days, or any required period.

The above example retrieves the external user activities from Jan 13, 2022 to Feb 10, 2022.

If you want to audit the suspected external user, you can run the script with –ExternalUserId param as shown below.

The result contains the activities performed by the external user, John. You can also combine the –StartDate and –EndDate params to retrieve actions from a particular interval.

Since the ‘Search-UnifiedAuditLog’ can retrieve external user activities for the last 90 days, you may require old data for analysis. In that case, scheduling will help you keep the audit log for more than 90 days.

To run a PowerShell script from Task Scheduler, you can use the below format:

Note: If the admin account has MFA, you need to disable MFA based on the Conditional Access policy to make it work.

Monthly reports are helpful when you want to monitor and control external access and related activities periodically.

To get a monthly report on external user activities, you can run the script as follows,

The exported report has the last 30 days of external users’ audit data.

In addition to monitoring external user activities, it is also necessary to prevent sensitive data access by blocking some important settings for external users. This is because not every file should be freely accessible; some need to be tightly locked for safety.

If you want to get more detailed external user audit report in a few mouse click, you can take a look at AdminDroid Microsoft 365 auditing tool. It provides following reports on external users.

• External user activities
• Management operation on external users
  • Audit external user creations
  • External user modification
  • License assignment
  • Deleted external users
  • Group membership changes
• External sharing activities
  • Files shared by external users
  • Files shared to external users
  • File/Folder accesses by external users
  • External user sharing invites

• Microsoft Teams file transfers
  • Files shared by external users in channels
  • Files shared to external users in private chat
  • Recently created shared mailboxes

Additionally, AdminDroid offers 1500+ pre-built reports on various Office 365 services like Azure AD, Exchange Online, SharePoint Online, Microsoft Teams, etc. For your Office 365 reporting and auditing needs,

Each report provides AI-powered graphical analysis to gain insights and better understand the data in a visually appealing manner.

Besides, AdminDroid Offers over 100+ reports and a handful of dashboards completely for free. It includes reports on Users, Licenses, Groups, Group Members, Devices, Login Activities, Password Changes, License Changes, and more. You can do customization, scheduling, and exporting. You can download Free Office 365 reporting tool by AdminDroid and see how it helps you.

It is necessary to identify the external users’ activities to secure your organization’s data. Also, this report helps you find inactive external users and you can remove them, if necessary. Reveal your thoughts and techniques on managing external users to fellow admins and us in the comment section