In Microsoft 365, user accounts act as gateways to access resources. Unauthorized or suspicious user creations can lead to severe consequences, such as data breaches and compromises in sensitive information. Admins play a critical role in safeguarding organizational data by diligently tracking and monitoring user creation within Microsoft 365.
How to Find who Created a User Account in Microsoft 365?
It is relatively easy to determine when a user account was created and their last login activity in Microsoft 365. However, identifying who created a user account requires utilizing the Audit Log. You have two options for this: using the Audit log search in the Microsoft Purview portal or PowerShell.
Microsoft Purview Portal: To access the Audit log, navigate to the Microsoft Purview portal. From there, you can filter the audit log by the activity ‘User added.’ This action will display a list of newly created users in your organization. However, the information given is basic and only provides data for the past 90 days. Additionally, there is no scheduling option available.
PowerShell: Another method involves using the ‘Search-UnifiedAuditLog’ cmdlet in PowerShell to find out who created a user account and when. But this process may require multiple steps to convert the data into a readable or user-friendly format, which demands more effort.
To simplify your work, we have developed a PowerShell script that provides the most essential attributes to track Entra ID users in a user-friendly manner.
- The script uses modern authentication to retrieve audit logs.
- The script can be executed with an MFA enabled account too.
- Exports report results to CSV file.
- Identifies who created Azure AD guest users.
- Helps to find recently created users. e.g., users created in the last 30 days.
- Allows you to generate a user creation audit report for a custom period.
- Automatically installs the EXO module (if not installed already) upon your confirmation.
- The script is scheduler friendly. i.e., Credentials can be passed as a parameter instead of saved inside the script.
Script Download: AuditM365UserCreations.ps1
Detect Who Created a User Account in Microsoft 365 –Script Execution Methods:
You can choose any of the below methods based on your requirement.
Method 1: Execute the script with MFA and non-MFA accounts
The exported report contains a list of users created for the past 90 days.
Note: As per Microsoft’s recent update, you can retrieve the M365 audit log for more than 90 days (I.e.,180 days) from September 2023.
Method 2: Execute the script by explicitly mentioning the credentials.
.\AuditM365UserCreations.ps1 -UserName firstname.lastname@example.org -Password XXX
You can also use this method to run the script unattended. Scheduling works only for non-MFA accounts. If the admin account has MFA, then you need to disable MFA based on the Conditional Access policy to make it work.
Audit User Creations Report – Sample Output:
The exported report helps admins to identify who created a user account in Office 365 with User Creation Time, Display Name, UPN, Assigned Licenses, Account Status, User Type, Result Status, and Additional Details.
From Problem to Solution: How the Script Adapts to Various Scenarios?
Our ‘audit Microsoft 365 user creation’ script supports multiple built-in filters to generate an audit report based on the various use cases. Let’s see them in detail.
- Find recently created users
- Identify who created a guest user
- Get a list of recently created guest users (i.e., guest users created in the last 30 days)
- Find users created in a custom period
- Schedule the script to run unattended
Find Recently Created M365 Users:
This report is crucial for staying on top of Microsoft 365 user additions, providing you with a real-time view of account creations, and helping you promptly address any unauthorized access. To track down recently created users in your Microsoft 365 environment, run the script by passing no. of days in the ‘RecentlyCreatedDays’ parameter. For example,
.\AuditM365UserCreations.ps1 -RecentlyCreatedDays 30
The exported report shows the list of users who were created in the past 30 days, along with the necessary details. If you find any suspicious account, you can monitor user activity to safeguard your organization from potential threats.
Identify Who Created Guest Users in Microsoft 365:
Managing guest users in an organization is important, but identifying who created a guest user is crucial for bolstering your organization’s security. This critical report enables you to monitor and verify the origin of guest accounts, ensuring that only authorized and trusted users invite guests. To check who created a guest user in Microsoft Entra ID, execute the script with the ‘GuestUsersOnly’ switch param.
The above format exports the Microsoft 365 guest users created in the past 90 days along with the creator.
In addition to auditing guest user creation, it’s crucial to proactively identify inactive guest users. Stale accounts serve as potential entry points for security compromises. Therefore, incorporating regular cleanups of inactive users is essential for maintaining a strong security posture
Get a List of Recently Created Guest Users in Azure AD:
This report showcases guest users created within the last ‘n’ days, allowing you to proactively manage guest permissions, review guest accounts, and ensure guest users’ group membership details. To track recently created external users, run the script as follows.
.\AuditM365UserCreations.ps1 -GuestUsersOnly –RecentlyCreatedUsers 60
It will list the Azure AD guest users who have been created in the last 60 days. By referring to the recently created guest users report, you can keep a close eye on guest user activities in the organization.
Note: Please be aware that the audit log retention period for the basic license plan is limited to 90 days (duration may vary depending on the specific license plan). As a result, you can only retrieve audit data for the last 90 days from the date of the execution.
Find Office 365 Users Created in a Custom Period:
This report is perfect for conducting audits during specific events, such as onboarding new employees or tracking user creations during a particular project. To find users created in a specific date range, execute the script with ‘StartDate’ and ‘EndDate’ params as shown below.
.\AuditM365UserCreations.ps1 -StartDate 7/1/23 -EndDate 7/15/23
The above example retrieves the users created from July 1, 2023, to July 15, 2023.
Schedule the Script to Run Unattended:
You can schedule the script to automate the auditing process by passing credentials using the ‘UserName’ and ‘Password’ parameters. This feature is incredibly helpful for running the script unattended at specified intervals and obtaining a comprehensive report on Microsoft 365 user creations.
To schedule the script, use the format below:
.\AuditM365UserCreations.ps1 -UserName email@example.com -Password XXX
You can utilize the task scheduler to create a scheduled task.
Note: Scheduling works with non-MFA accounts. If you have an MFA account, you can disable MFA through conditional access policies to enable smooth scheduling.
AdminDroid: Export, Schedule, and Receive Alerts – All for Free!
Scheduling an audit report or receiving alerts when a new user is created in Microsoft 365 can be a tedious task with native methods. But with AdminDroid, you can achieve all this and more with just a few mouse clicks. Best of all, it’s completely free! Yes, you heard it right!
With AdminDroid, you can access more detailed Microsoft 365 user reports, providing the following features:
- Get Users’ Creation Date: Easily view all Microsoft 365 users along with their creation date.
- View Recently Created Users: Access recently created users without any limitations on the time frame.
- Export Reports to Different Formats: Customize your user audit reports by exporting them to various formats like CSV, PDF, HTML, XLS, and more.
- Schedule Reports: Set up scheduled reports to be directly delivered to your email in the desired format.
- Get Alerts on New User Creation: Configure M365 alerts to receive notifications whenever a new user is created in your organization.
- Create Custom Reports: Utilize ‘Views’ to tailor reports according to your specific requirements, including column customization, filters, and more.
Aside from these features, AdminDroid offers a comprehensive range of 120+ free reports and numerous dashboards, providing efficient Microsoft 365 administration. These reports cover users, groups, licenses, group membership, managers, user sign-ins, password changes, admin role changes, and much more.
Additionally, AdminDroid offers an extensive collection of 1800+ pre-built reports and 30+ smart dashboards, providing you with powerful insights and enhanced control over your Microsoft 365 environment. Download AdminDroid Microsoft 365 management tool today to ensure seamless administration and efficient reporting for your organization.
Don’t wait until a security breach occurs; proactively safeguard your organization with our comprehensive user creation auditing reports. I hope the blog will help you find who created a user account in Microsoft 365. If you have any queries, reach out to us through the comment section.