March 7, 2024

Audit SharePoint Online Group Membership Changes using PowerShell

by Kathy Cooper

4 min read

No Comments

The addition and removal of group members are a major concern for SharePoint permission changes. So, auditing the SharePoint Online group membership changes is vital to identify sensitive information leakage and mitigate security risks.

How to Detect Group Membership Changes in SharePoint Online?

To track SharePoint group permission changes, you can use either Audit search in the Microsoft Purview portal or PowerShell.

Microsoft Purview: In the Audit search, select ‘Added user or group to SharePoint group’ and ‘Removed user or group from SharePoint group’ activities under the ‘SharePoint Permission Changes’ category. It will list all the new members added to groups and existing members removed from groups. You can also export the report, but the report will not be in a user-friendly manner, and you can’t identify the group name and member at a glance.

PowerShell: You can use the ‘Search-UnifiedAuditLog’ cmdlet to monitor group membership changes. But the result will be shown in the JSON format, which you need to parse further to get the required data.

To simplify your work, we have created a PowerShell script that will export the group membership changes report in a user-friendly manner.

Script Highlights:

  • The script uses modern authentication to connect to Exchange Online.
  • The script can be executed with an MFA-enabled account too.
  • Exports report results to CSV file.
  • Helps to identify newly added and removed guest accounts separately.
  • Allows you to generate an SPO group membership audit report for a custom period.
  • Allows you to audit the group permission changes based on the workload, such as SharePoint and OneDrive.
  • Automatically installs the EXO V2 module (if not installed already) upon your confirmation.
  • The script is scheduler-friendly. I.e., Credentials can be passed as a parameter instead of getting interactively.

Audit SharePoint Group Membership Changes – Sample Output:

The exported report will contain the following attributes: Event Time, Performed By, Operation, Group Name, Member Name, Member Type, Members Can Share Sites & Files, Site URL, Workload, Detailed Audit Data.

audit sharepoint group membership changes

Audit SPO Group Membership Changes Report – Script Execution:

To run this script, you can choose any of the methods below.

Method 1: Execute the script with MFA and non-MFA account

Method 2: Execute the script by explicitly mentioning credentials (Scheduler-friendly).

Note: If the admin account has MFA, you need to disable MFA based on the Conditional Access policy to make it work.

More Use Cases of ‘Audit SharePoint Online Group Membership Changes’ PowerShell Script:

As said earlier, our script supports advanced built-in filtering parameters to generate more granular audit reports. We have listed a few use cases of our script below.

  • Track SharePoint group membership changes for the past 90 days.
  • Audit group membership changes for a custom period.
  • Monitor addition and removal of guest users in SharePoint groups.
  • Find group membership changes in SharePoint Online.
  • Find group permission changes in OneDrive.
  • Schedule the group membership changes report.
  • Get a monthly report on SharePoint group permission changes.

Track Group Membership Changes for the Past 90 Days:

Since the ‘Search-UnifiedAuditLog’ has past 90 days of data, you can get a maximum of the last 90 days’ activity using the script. To export SharePoint group permission changes for the past 90 days, run the script as below.

While the execution retrieves group membership changes in all SPO sites, you can also audit membership changes in Microsoft 365 groups.

Audit Group Member Changes for a Custom Period:

To generate group membership audit reports for a custom period, you can use the –StartDate and –EndDate parameters. By using these params, audit reports can be generated for the last 7 days, 30 days, or any required period.

The above example retrieves group member changes from June 1, 2022, to June 10, 2022.

Monitor Addition and Removal of Guest Users in SharePoint Groups:

To find who added a guest to a SharePoint group, you can run the script with -GuestOnly switch param. The report will also show when a guest user is removed from a SharePoint group.

The exported report will contain guest users’ permission changes on SharePoint groups for the past 90 days.

Find Group Membership Changes by Workload:

The script will list all the membership changes in SharePoint Online and OneDrive by default. If you want to retrieve membership changes in a specific environment, you can use – SharePointOnly orOneDriveOnly switch param.

To retrieve group membership changes happening in SharePoint Online, run the script as follows.

To track membership changes that occurred in OneDrive environment, execute the script as shown below.

Automate Group Membership Audit Report:

Since Search-UnifiedAuditLog can retrieve audit data only for the last 90 days, you may require old audit data for analysis. In that case, scheduling will help you keep the audit log for more than 90 days.

To run a PowerShell script from the task scheduler, you can use below the format.

Note: If the admin account has MFA, you need to disable MFA based on the Conditional Access policy to make it work.

Get a Monthly Report on SharePoint Group Membership Changes Report:

Monthly reports are helpful when you want to monitor and control group membership & permission changes.

To get a monthly report on user addition and removal in the SharePoint groups, run the script as below.

You can also schedule the script to generate a monthly report by mentioning the UserName, Password, StartDate, and EndDate.

I hope this script will help you track SharePoint Online permission changes through group membership changes. By referring to this report, you can revert the group membership to protect your environment effectively.

Share article