Audit Microsoft Teams Membership Changes using PowerShell

Microsoft Teams plays a crucial role in facilitating collaboration and communication in the organizations. As team owners can add or remove members from MS Teams, it is important for admins to track membership changes to ensure authorized individuals have access to sensitive information. While there are many scripts available online for getting teams membership details, there are few that can audit Teams membership changes, which is essential.

While Microsoft’s Audit Log Search in Microsoft Purview can also be used to monitor membership changes, it has limited customization options and may not provide all the necessary details at a glance. One solution to this problem is to use a PowerShell script to monitor Teams membership changes. So, I decided to write up a script with some advanced capabilities.

• The script uses modern authentication to retrieve audit logs.
• The script can be executed with an MFA enabled account too.
• Exports report results to CSV file.
• Exports all the teams’ membership changes
• The script has a filter to track private channel membership changes.
• The script has a filter to monitor shared channel membership changes.
• Allows you to generate an audit report for a custom period.
• Automatically installs the EXO V2 module (if not installed already) upon your confirmation.
• The script is scheduler friendly. I.e., Credentials can be passed as a parameter instead of saved inside the script.

Script Download: AuditTeamMembershipChanges.ps1

You can choose any of the below methods based on your requirement.

Method 1: Execute the script with MFA and non-MFA accounts

The exported report contains external user file access for the past 90 days.

Method 2: Execute the script by explicitly mentioning the credentials.

Note: Scheduling works only for non-MFA accounts. If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work.

The output file contains the following attributes: Event Time, Performed By, Operation, Team/Channel Type, Team Name, Channel Name, User Name, Role, and More Audit Data.

You can use the advanced filtering parameters to generate a more granular audit report. I have listed a few use cases below.

• Track Teams membership changes for a custom period
• Audit private channels membership changes
• Identify shared channels membership changes
• Monitor teams membership changes in MS teams
• Schedule the audit report

By default, the script retrieves the audit log for the past 90 days. You can use the StartDate and EndDate parameters to retrieve audit data for a custom period. Also, you can retrieve the audit log for 365 days by modifying the script. (If you need it, let me know in the comment section, and I will help you).

The above example will export all the MS Teams membership changes (including standard, private, and shared channel membership) performed between Dec 01, 2022, and Dec 10, 2022.

As an admin, you can generate private channel members report jiffy. But it’s challenging to track the private channel membership changes. Run this script with the PrivateChannelMembershipChangesOnly parameter to export the private channel membership modification report.

This example retrieves the private channel membership and ownership changes in the last 90 days. Through consistent Microsoft Teams private channel reporting, admins can swiftly review member profiles and ownership shifts. It not only streamlines the process but also significantly enhances overall security.

With the introduction of shared channels, people can collaborate within and beyond the organization without affecting the membership of a root team. i.e., a member can be added to a shared channel without adding them to the team. So, the team owner and MS Teams admin should track the membership changes to prevent security vulnerabilities.

To track shared channel membership changes and who added them, run the script with the SharedChannelMembershipChangesOnly parameter.

The above example helps to find who added the members to the shared channel in the past 90 days.

MS Teams supports adding bulk users to teams for efficient collaboration. So, admins must keep an eye on the membership addition and removal to ensure the right members are available in the teams. To track adding and removing team members, execute the script with the TeamsMembershipChangesOnly parameter.

You can also use the above format to find the standard channel membership changes.

Microsoft keeps an audit log for a limited period based on the subscription type. To store an audit log for an indefinite time, you can schedule the audit reports and save them on the local machine. To schedule the PowerShell script, you can use the below format in the Windows Task Scheduler.

Using the above format, you can schedule the script and audit Teams membership changes.

To schedule the monthly report, you can use the following format and set it to run every month 1st.

Note: If the admin account has MFA, you must disable MFA through the Conditional Access policy to work.

The Downside of the Audit Log:

The script uses the ‘Search-UnifiedAuditLog’ to retrieve audit logs and filters the actions to generate a Teams membership changes report. I have noticed a few bugs while checking the generated audit log.

• While demoting the owner to a member, the audit log shows an incorrect ‘Role.’
• In a few cases, the ‘MemberAdded’ operation is shown with a null value in the member column.

I hope Microsoft will fix those issues soon.

Auditing Microsoft Teams Membership Changes using PowerShell can be a time-consuming process, especially if there are many changes to track. AdminDroid takes the hassle out of monitoring Teams membership changes with its advanced features and user-friendly framework. With intuitive filtering, quick scheduling, and stunning data visualizations, finding the data you need is easier than ever. You can also trigger alerts for critical events like member removal, ownership demotion, etc.

You can have full visibility into Teams membership reporting and auditing that keeps you in the loop. Find the teams membership changes report offered by AdminDroid:

• Team Member Additions – Monitor new members added to your Teams.
• Team Member Removals – Stay informed when members are removed from your Teams.
• Team Owner Additions – Keep track of new owners added to your Teams.
• Team Owner Removals – Receive notifications when team owners are removed.
• Team Ownership Promotion – Track changes in ownership hierarchy and promotions.
• Team Ownership Demotion – Receive alerts on ownership transfers and member demotions.

AdminDroid offers an exclusive dashboard for Teams membership and ownership that empowers admins with valuable insights.

• With this dashboard, admins can quickly identify the top 10 teams based on various criteria such as members count, owners count, and guest count.
• But that’s not all – the dashboard also showcases the top 5 private channels based on members count, owners count, and guest count.
• This crucial information allows admins to understand which channels are most popular and ensure that private channels are being used appropriately.

In short, with valuable insights, reports, and dashboard AdminDroid will play a major role in managing Teams membership in your organization.

Apart from Teams Management reports, AdminDroid also offers over 1800 pre-built reports for a wide range of Office 365 services, including Azure AD, Security Exchange Online, SharePoint Online, and so on. This tool can help you easily generate alerts, schedule and export reports on various aspects of your Microsoft 365 environment.

Download the Microsoft Teams reporting and auditing tool by AdminDroid and see how it works.

I hope this blog helps you track and monitor membership changes in all teams within your organization, including those created by users. If you wish to prevent users from creating new teams themselves, you can disable team creations in Microsoft 365. For any doubts or queries regarding this blog, feel free to reach out to us through the comments section.