Microsoft 365 admins are the ones with great power and responsibility for the proper management of the organization. In such a way, users are assigned different admin roles to lead the organization in the right way. However, keeping a watchful eye on your administrators is crucial to guard against potential security threats and ensuring that the right people possess the right levels of authorization. But how can you track the admins? To track the activities of the admins and ensure proper governance, you can utilize Microsoft 365 admin reports, thereby identifying and eliminating suspicious behaviors of admins.
Don’t let your organization fall prey to lurking dangers!
Why Do You Need to Monitor M365 Admins?
For proper administration of Office 365 users, applications, and resources you may assign roles such as Company administrator, Exchange administrator and so on to users. However, users with assigned admin role should be tracked. But, why? Here are some of the reasons to monitor M365 admins.
Insider threats: Sometimes, being an admin, they may be involved in data breaches or data leakage incidents. However, keen monitoring of admins can prevent these activities from taking place inside your organization.
Role review: It is essential to regularly review the assigned admin roles to ensure that users are given appropriate authorization levels.
Catch up on suspicious activities: By actively monitoring users with admin roles, you can ensure their adherence to responsibilities and swiftly identify any potential malicious activities they may engage in. It is also helpful to identify account compromises.
Table of Contents
- Get all administrators and their admin roles
- Find all group memberships of Office 365 admins
- Monitor sign in logs of Microsoft 365 admins
- Track admin’s Azure AD activities in Microsoft Entra admin center
- Monitor admin’s Microsoft 365 activities
Let’s delve into this blog to gain Microsoft 365 admin reports for efficient O365 management.
Get All Microsoft 365 Administrators and Their Admin Roles
Having a report that includes all the administrators and their assigned admin roles is essential for efficient O365 management.
You can view all the administrators and their admin roles from Azure AD or Microsoft 365 admin center. But you need to scour through each of the user’s profiles to get the necessary details, which is a time-consuming process. But how could it be if you get all the details of the admins including license status, sign-in status in a single comprehensive report. It’s possible with PowerShell script.
Instead of running cmdlets like “Get-MgUserLicenseDetail“, “Get-MgDirectoryRole” individually to get the details of the Office 365 admins, you can simply download the PowerShell script given below to retrieve all the necessary insights such as admin name, email address, assigned roles, license status, sign-in status under a single report.
https://o365reports.com/2021/03/02/export-office-365-admin-role-report-powershell/
With this script you can,
- Export Microsoft 365 admin report
- Get azure AD roles for a user
- Get office 365 admin roles and the members
- List all admins of a specific role
- List all global administrators in Office 365 tenant
This script will be the best solution for all your effort-consuming and never-ending repeated tasks of Microsoft 365 administration.
Sample Report:
As the script gives you multiple customized reports, each of the generated Microsoft 365 admin reports will have a different format. Here is an example of a report generated by executing the script.
Find All Group Memberships of Office 365 Admins
Monitoring the memberships of the admins helps to maintain a strong security posture by ensuring that admins only have access to the groups necessary to perform their job functions, reducing the risk of privilege misuse or unauthorized actions.
You can get a comprehensive report having group membership details of the admins using the PowerShell script below.
Before that, make sure you connect to Microsoft Graph PowerShell.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
Select-MgProfile -Name beta $UserNames = @() $results=Get-MgDirectoryRole -All | ForEach-Object { Get-MgDirectoryRoleMemberAsUser -DirectoryRoleId $_.Id|ForEach-Object{ if($UserNames -notcontains $_.DisplayName) { $UserNames+=$_.DisplayName $groupNames = (Get-MgUserMemberOf -UserId $_.UserPrincipalName | Select-Object -ExpandProperty AdditionalProperties| Where-Object {$_.'@odata.type' -eq '#microsoft.graph.group'}).displayName if($groupNames) { [PSCustomObject]@{ 'Admin Name' = $_.DisplayName 'Groups' = $groupNames -join ',' } } } } } $results |Export-Csv -Path '<file path>' -NoTypeInformation |
Sample Report:
The above script will give you a report like the below added screenshot.
Monitor Sign in logs of Microsoft 365 admins
Monitoring sign-in logs of the Office 365 admins helps you to identify and track unauthorized access attempts and compromised credentials. Also, you can take appropriate remedial actions against the admin’s malicious activities.
By the way, you can effectively track the admin’s sign-in activities using built–in Azure AD sign-in log reports. To get that report, follow the navigation below.
- First, log in to Microsoft Entra admin center.
- Then, select ‘All Users’ from the Users blade.
- Now, click the ‘Sign-in logs’ on the left side of the page.
- Select ‘User’ in the filter and provide the admin name you want to see sign in logs.
- Then, click ‘Download’ at the top of the page.
- Now, select the format (JSON or CSV) based on your need and provide a suitable name for the report.
- Finally, click ‘Download’.
Sample Report:
The downloaded report looks similar to the screenshot below.
By the way, Azure AD sign in logs is limited to past 30 days.
How to get sign-in logs longer than 30 days?
You can download the PowerShell script below to generate a report log-in activities of admins for the past 90 days. Also, this script gives you filtering options to get successful/failed login attempts.
https://o365reports.com/2019/12/23/export-office-365-users-logon-history-report/
The script will give you log on activities of all the Office 365 users. To get the login activity of a specific admin, run the script by passing admin name in ‘–UserName’ param.
As the above script supports scheduling, you can schedule the script to have a history of logs for better analyzation.
Sample Report:
The generated report looks similar to the screenshot below.
You can also use the sign-in failure analysis workbook in Entra ID to easily analyze unsuccessful login attempts in Microsoft 365
Track Azure AD Activities of M365 Admin in Microsoft Entra Admin Center
Before getting into the topic, let us clear one thing. Azure AD audit log and audit log search are different from each other. The Azure AD audit log allows you to track Azure AD activities of the users specifically, while the audit log search provides insights into user activities across all workloads.
Azure AD audit logs provide a detailed record of all activities performed by O365 admins in Azure AD including user addition, password resets, policy updates, addition of members to groups, license changes, etc. By monitoring these logs, you can detect and investigate suspicious activities they get involved in.
To gain an audit report of Office 365 admin, follow the steps below.
- First, navigate to Microsoft Entra admin center> Users>All users.
- Now, click the ‘Audit logs’ on the left side of the page.
- Then, select ‘User’ in the filter and provide the admin name you want to see audit logs.
- Click ‘Download’ and select the format (JSON or CSV).
- Finally, provide a suitable name for the report and click ‘Download’.
Sample Report:
The downloaded report appears similar to the below image.
Monitor Admin’s Microsoft 365 Activities
From the above, you can get the Azure AD activities of the admins. However, it’s not sufficient to identify suspicious behaviors of the admins. You should monitor the admins’ activities in all the services like Exchange Online, SharePoint Online, MS Teams, etc.
By the way, you can monitor admin activities using “Audit Logs” available in the Microsoft Purview compliance portal. From there, you can use filters to get specific activities of the O365 admin.
You can follow the steps below to get audit logs of Microsoft 365 admins.
- First, navigate to Microsoft Purview compliance portal.
- Then, click the ‘Audit’ option given on the left side of the page.
- Specify the start/end time, activities, admin username in the respective filters and click ‘Search’.
- From the ‘Export’ button, click ‘Download all results’.
Though it is easy to monitor admin activities via unified audit log, you can’t be able to understand the details such as the operation status (whether the action was successful or unsuccessful) and the workload in a single view. Because, these attributes are formatted as JSON object, which needs to be parsed for better understanding.
Also, you can use a PowerShell cmdlet “Search-UnifiedAuditLog” to retrieve the activities of admins in Microsoft 365 resources. But it’s not an easy task. You need to filter out to get the desired report. Also, if you failed to retrieve the data properly, you will end up with data loss.
To simplify the process and gain comprehensive insights into admin activities in Microsoft 365, you can download a pre-built PowerShell script. This script is specifically designed to export details such as activity time, admin name, operation, result, and workload in a user-friendly format.
https://o365reports.com/2023/12/15/audit-microsoft-365-admin-activity-using-powershell/
To get a specific admin activity, execute the script by passing the admin’s Id in the ‘–AdminId’ param.
Also, the above script supports scheduling, which helps you to store old audit logs for future analysis.
Sample Report:
The exported report resembles the screenshot below.
Gain a Bare Bone Details of Microsoft 365 Admins with AdminDroid
Native reporting details provide you with information on the administrators, but that is insufficient to fend off security risks in Office 365. You need a complete oversight of Office 365 administrators from admin role changes to SPO file operations. That’s where AdminDroid comes in, which gives you deep insights into all the essential information for Office 365 admins!
AdminDroid Microsoft 365 reporter offers you an eye-catching admins dashboard, with sleek design to showcase you all the necessary insights of admins such as MFA status, license status, sign-in status, recently created admins, and more. This will eliminate your relying on PowerShell and the admin center, as you will get all the needed insights under a single roof.
AdminDroid’s “Admin ReportBoard” provides you with 80+ admin reports thereby keeping you following up Microsoft 365 admins in a more convenient way.
Below are some of the admin reports offered by AdminDroid.
Office 365 Admin Reports
- All admins
- All global admins
- Licensed admins
- Admins with expired trial licenses
- Admins with expired purchased licenses
- Login activities of the admins
- Admin’s login failures
- All admin mailboxes
- Inactive admin mailboxes
Administrative Role Changes Reports
- User added as admin
- Admin access removed users
Admins’ Security Settings Reports
- Password reset by admins
- Admins with expired passwords
- MFA enforced admins
- Admins’ mailbox forwarding information
Admins’ Activity Audit Reports
- Admins access to other mailboxes
- SPO files downloaded by admins
- All SPO file activities of admins
Security is the first priority of AdminDroid!
Attackers are not far! Quickly download AdminDroid Microsoft 365 management tool for better control over Office 365 admins.
We hope this blog brings you ways to gain Microsoft 365 admin reports. Furthermore, feel free to reach us in the comment section for any assistance needed.
