Microsoft has provided an expansive platform that facilitates both internal and external collaboration in Office 365. While allowing collaboration with external users can enhance productivity, it also introduces security risks. External users may have malicious intentions, such as stealing sensitive information or compromising accounts. Failing to monitor external users can lead to various problems. To eliminate these attacks, conducting audits on Office 365 external users and their actions is crucial. To streamline your auditing process, you can make use of the O365 external user reports.
Need for Monitoring External Users in Microsoft 365
External users are users outside your organization having access to your tenant’s resources such as SharePoint, Teams, Planner, OneDrive, etc.
Reasons to monitor Office 365 external users,
- Identify suspicious activities: Monitoring external users is crucial, as they may perform suspicious activities, leading to the leakage of sensitive information.
- Instant response: If you keep an eye on them, you can take timely decisions on malicious actions of external users, thereby safeguarding your Office 365 environment from potential security threats.
- Permission review: Auditing external users and their activities ensures that users are granted the appropriate level of permission to access Office 365 resources.
Let’s dive into the blog to gain various reports for tracking external users effectively.
Table of Contents:
- Get all external users in Office 365
- Track office 365 external user activities using PowerShell
- Gain inbox rules forwarding emails to Microsoft 365 external users
- Retrieve all external users in SharePoint online
- Audit external user file access in SharePoint Online
- Monitor external sharing in OneDrive and SharePoint Online
Identify All Office 365 External Users
It is common for organizations to onboard external users to meet specific project needs or enable collaboration. However, there is often a lack of prompt removal of these external users from the organization’s systems once their purpose has been fulfilled. To get a comprehensive record of external users in your organization, you can use PowerShell.
You can use the below PowerShell cmdlet to retrieve all external users in Office 365.
Get-AzureADUser -Filter "UserType eq 'Guest' " | Export-Csv -Path <FilePath> -NoTypeInformation
With this cmdlet, you can review all the external users and make necessary changes to them if needed. But this is not enough, right? We need to monitor their memberships to identify potential security risks or unauthorized access to Office 365. In case you come across any suspicious external users, you can track which admin created these external accounts in Azure AD to identify the source.
To get external users’ membership, you need to use ‘Get-AzureADUserMembership’ cmdlet. But keep in mind, Azure AD and MSOL PowerShell modules are under deprecation. So, try to use MS graph cmdlets.
To get the membership details of the Office 365 external users, you can use the MS Graph cmdlet.
The above cmdlet does not support retrieving the membership details of all external users in a single call. Instead, you would need to retrieve the membership details for each external user individually using a loop or by specifying the user ID.
However, you can export O365 external user reports with their membership using PowerShell script mentioned in the blog below.
By using the PowerShell script, you can get a report similar to the screenshot below.
This script will give you external users’ insights like external user creation time, membership details, account age, invitation acceptance status, and so on in a single PowerShell script.
Track Office 365 External User Activities
Monitoring external user activities helps you identify suspicious or unauthorized access attempts by external users. To audit external user activities, you can use an audit log search. However, it will not give any filtering option to retrieve only the external user activities. They will show you the activities of all the users and you need to search among them to get the activity of external users.
It’s tedious, right? This is why everyone moves to PowerShell. PowerShell makes you a way to audit Office 365 external users’ activities with PowerShell cmdlets and scripts.
You can use the below PowerShell cmdlet to retrieve external user activities for a given period by specifying the Id of the external user.
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -UserIds <IdOfTheExternalUser>
However, this is not suitable for retrieving activities of all external users in Office 365.
But you can track all the external users’ activities like confidential document access, Illegal document/file modifications, Illicit resource sharing and more by downloading a PowerShell script given in the blog below.
The given script will generate external user activity report similar to the screenshot below.
This script will give you a report on external user activity having details such as activity time, external username, operation, accessed resource, resource type, workload, and detailed audit data.
Find Inbox Rules with External User Forwarding
Users can create inbox rules to perform automatic actions on incoming and outgoing emails such as forward, move, copy, etc.
However, there may be a chance of creating risky inbox rules that forward confidential emails to external users. This may lead to potential security threats in your Office 365 environment. So, it is crucial to be aware of inbox rules configured for forwarding emails to external users.
You can use “Auto forwarded message report” in the EAC to get emails that were forwarded to the external domain. But it lacks insights into inbox rules. Also, you can use the PowerShell cmdlet “Get-InboxRule” to retrieve the inbox rules that forward email externally. But you should optimize various parameters to extract the desired reports.
However, the PowerShell script makes the process simple. You can download the PowerShell script mentioned in the blog to export mailbox forwarding rules that forward emails to external domains or personal email addresses.
The downloaded script will give you a report like the below added screenshot.
This script will retrieve inbox rules set to forward to, forward as attachment, and redirect to external recipients in Office 365.
Monitor Office 365 SharePoint Online External users
External users have the ability to view and access various site content, including the Document Library, Calendar, Task List, and more. Conducting regular reviews ensures that your SharePoint environment remains trouble-free and secure. By reviewing external user access, you can identify and address any potential issues or concerns.
But to review external users, we need to scour through each of the SharePoint sites, showing internal and external guest members together. It took time for you to pick the external one from the list of members.
When coming to PowerShell, we can get the external users in a SharePoint site using the below cmdlet.
But we need to repeat the cmdlet each time to get external users from all SharePoint sites. To aid in this endeavor, you can download a script to get SharePoint O365 external user reports given in the below blog.
Using the provided PowerShell script, you will be able to generate a O365 external user reports similar to the one shown in the example.
This report gives you all the external users along with their creation time, which is very useful to track the newly created external users.
Audit Office 365 External User File Access in SharePoint Online
In SharePoint Online, the ability to share files with external users is common. But admins need to monitor external user file access for maintaining data security within your organization.
Note: It is better to assign guest user expiration policy to keep your externally shared content safe.
You can use an audit log search to track external user file access activities. But you need to use multiple filtering options to get the desired result, which is a tedious task. Also, when coming to the PowerShell cmdlet “Search-UnifiedAuditLog”, you can get 5000 records for each call. To ensure you capture all records, it is necessary to repeatedly call Search-UnifiedAuditLog using the SessionId parameter, which too has some limitations.
However, to ease your work, download the user-friendly PowerShell script to track all external user file accesses.
By utilizing the PowerShell script mentioned earlier, you will be able to generate a report that resembles the screenshot below.
This script will give you a report on external user activity having details such as file accessed time, external username, accessed file, site URL, file extension, workload and detailed audit data.
Monitor External Sharing in OneDrive and SharePoint Online
SharePoint Online is like a storage space and a collaborative platform for sharing files/documents/lists, etc.
While sharing with external users, we should give them only limited rights. More importantly, we should periodically keep an eye on SharePoint external sharing to avoid data breaches.
To get reports on files/folders/lists shared with external users, you can follow the steps below.
- First, open the respective SharePoint Online site.
- Navigate to Settings (Gear icon)> Site Usage.
- Scroll down to the Shared with external users section and click Run report.
- Then, choose the location to save the report on your SharePoint site.
- Finally, click Save.
Once the report is generated, you will receive an email notification. Then you can go to the specified location and view the generated report.
Get OneDrive External Sharing Report in Office 365
One Drive allows users to save files as well as share files by determining the extent of their editing privileges.
Same as the SharePoint external sharing report, it will give you the overall sharing report, not specifically about files/folders shared with external users.
To generate this report, follow the steps below.
- First, open a OneDrive tile from Microsoft 365.
- Then, navigate to the Settings> OneDrive settings >More settings.
- Under the Manage access section, click Run sharing report.
- Then, choose the location to save the report on your SharePoint site.
- Finally, click Save.
Beyond the above built-in reports, you can download a PowerShell script given in the below blog to audit SPO and OneDrive files shared with external users.
With the help of the PowerShell script shared in the blog, you can generate a report that resembles the screenshot provided below.
The exported report contains necessary information such as shared time, shared by, shared resource type, shared resource, site URL, sharing type, workload, and audit info.
Get In-depth Reports on Office 365 External Users with AdminDroid
AdminDroid enables you to get a drilled down report on Office 365 guest users and external users’ activities. AdminDroid Microsoft 365 reporter came up with an exclusive external user report board!
With AdminDroid’s M365 external user management report collection, you can catch up on the suspicious behavior of the external users and can take necessary actions on them. Also, these reports will help you to identify the inactive external users, thereby removing them from your organization for a secure Office 365 environment.
Some of the external users’ reports available from AdminDroid’s report boards are,
|External Users Reports –An overview reports on Office 365 external/guest users.
|External Users Audit – Reports to keep track of External users in Office 365.
|External Users Sharing and Access– Reports on file/folder/page activities of external users.
|External User Membership– Reports having information of external users group memberships.
|Mailbox Permissions Report – Detailed reports on mailbox access and permissions of guest users.
Why AdminDroid is the Best Choice for External Users’ Management?
- You can set up automated scheduling of reports for daily monitoring of external user activities, mailbox accessing, instead of taking efforts manually.
- AdminDroid enables you to customize external user reports, thereby you can apply additional filters, columns, charts to obtain the exact report you need.
- Also, Admindroid offers complete Office 365 alerting solution. So, you can gain real time notifications on suspicious activities such as sensitive file sharing, mailbox access by guest users and so on.
Don’t wait any longer! Start to use AdminDroid and gain seamless control over Office 365 external users.
We hope this blog brings you the importance of O365 external user reports. Furthermore, you can reach us for doubts and clarifications through the comments section.