Audit Microsoft Teams Membership Changes using PowerShell 

Microsoft Teams plays a crucial role in facilitating collaboration and communication in the organizations. As team owners can add or remove members from MS Teams, it is important for admins to track membership changes to ensure authorized individuals have access to sensitive information. While there are many scripts available online for getting teams membership details, there are few that can audit Teams membership changes, which is essential.  

 

Why PowerShell Script when you have Audit Log Search?  

While Microsoft’s Audit Log Search in Microsoft Purview can also be used to monitor membership changes, it has limited customization options and may not provide all the necessary details at a glance. One solution to this problem is to use a PowerShell script to monitor Teams membership changes. So, I decided to write up a script with some advanced capabilities. 

 

Script Highlights: 

  • The script uses modern authentication to retrieve audit logs.    
  • The script can be executed with an MFA enabled account too.      
  • Exports report results to CSV file.    
  • Exports all the teams’ membership changes 
  • The script has a filter to track private channel membership changes. 
  • The script has a filter to monitor shared channel membership changes. 
  • Allows you to generate an audit report for a custom period.   
  • Automatically installs the EXO V2 module (if not installed already) upon your confirmation.  
  • The script is scheduler friendly. I.e., Credentials can be passed as a parameter instead of saved inside the script. 

 

Script Download: AuditTeamMembershipChanges.ps1 

 

How to Execute the Audit Script: 

You can choose any of the below methods based on your requirement.

Method 1: Execute the script with MFA and non-MFA accounts  

The exported report contains external user file access for the past 90 days.  

 

Method 2: Execute the script by explicitly mentioning the credentials.  

Note: Scheduling works only for non-MFA accounts. If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work. 

 

Audit Team Membership Changes Report – Sample Output: 

The output file contains the following attributes: Event Time, Performed By, Operation, Team/Channel Type, Team Name, Channel Name, User Name, Role, and More Audit Data. 

Audit MS Teams membership changes using PowerShell  

 

Unlock the Full Potential of Team Membership Changes Script: 

You can use the advanced filtering parameters to generate a more granular audit report. I have listed a few use cases below. 

  • Track Teams membership changes for a custom period 
  • Audit private channels membership changes 
  • Identify shared channels membership changes 
  • Monitor teams membership changes in MS teams 
  • Schedule the audit report 

 

Track Teams Membership Changes for a Custom Period:  

By default, the script retrieves the audit log for the past 90 days. You can use the StartDate and EndDate parameters to retrieve audit data for a custom period. Also, you can retrieve the audit log for 365 days by modifying the script. (If you need it, let me know in the comment section, and I will help you).  

The above example will export all the MS Teams membership changes (including standard, private, and shared channel membership) performed between Dec 01, 2022, and Dec 10, 2022.  

  

Audit Private Channels Membership Changes:  

As an admin, you can generate private channel members report jiffy. But it’s challenging to track the private channel membership changes. Run this script with the PrivateChannelMembershipChangesOnly parameter to export the private channel membership modification report.  

This example retrieves the private channel membership and ownership changes in the last 90 days. 

 

Identify Shared Channel Membership Changes:  

With the introduction of shared channels, people can collaborate within and beyond the organization without affecting the membership of a root team. i.e., a member can be added to a shared channel without adding them to the team. So, the team owner and MS Teams admin should track the membership changes to prevent security vulnerabilities.  

To track shared channel membership changes and who added them, run the script with the SharedChannelMembershipChangesOnly parameter.  

The above example helps to find who added the members to the shared channel in the past 90 days.  

  

Monitor Teams Membership Changes:  

MS Teams supports adding bulk users to teams for efficient collaboration. So, admins must keep an eye on the membership addition and removal to ensure the right members are available in the teams. To track adding and removing team members, execute the script with the TeamsMembershipChangesOnly parameter.  

You can also use the above format to find the standard channel membership changes. 

 

Schedule Audit Report:  

Microsoft keeps an audit log for a limited period based on the subscription type. To store an audit log for an indefinite time, you can schedule the audit reports and save them on the local machine. To schedule the PowerShell script, you can use the below format in the Windows Task Scheduler.  

Using the above format, you can schedule the script and audit Teams membership changes.

To schedule the monthly report, you can use the following format and set it to run every month 1st.  

Note: If the admin account has MFA, you must disable MFA through the Conditional Access policy to work.  

  

The Downside of the Audit Log:  

The script uses the ‘Search-UnifiedAuditLog’ to retrieve audit logs and filters the actions to generate a Teams membership changes report. I have noticed a few bugs while checking the generated audit log.  

  • While demoting the owner to a member, the audit log shows an incorrect ‘Role.’   
  • In a few cases, the ‘MemberAdded’ operation is shown with a null value in the member column.  

I hope Microsoft will fix those issues soon.