Monitoring changes taking place in Microsoft 365 is essential for organizations prioritizing strong security. One such important aspect of ensuring security is the process of tracking group membership changes in Microsoft 365. Auditing group membership changes helps admins ensure compliance, investigate any suspicious incidents, and manage user accountability in Microsoft 365.
In this blog, we’ll explore the available options to facilitate monitoring of group membership changes. Additionally, we’ll delve into a versatile PowerShell script that enables you to generate 10+ reports to audit group membership changes.
How to Track Group Membership Changes in Azure Active Directory?
By using any one of the following methods you can audit group membership changes in Microsoft 365:
Microsoft Purview Audit Logs: The unified audit logs in Microsoft 365 can be used to track group membership changes. Applying filters to the Activities field like “Added member to group” and “Removed member from group” can find all the group membership changes performed in M365. Though the resultant Microsoft 365 audit logs can be exported, they can’t be scheduled or customized based on your preferences.
Entra ID Audit logs: Applying the “GroupManagement” filter for the Category field in Azure active directory audit logs enables you to track the group management activities performed in M365. However, applying additional filters to the Activity field may be necessary to obtain the desired report, but it’s worth noting that the reports are limited to the past 30 days.
PowerShell: While the “Search-UnifiedAuditLog” cmdlet has the capability to produce the desired report by overcoming the above challenges, it also has some drawbacks. This cmdlet provides audit logs in JSON format, which requires further processing to extract the desired information.
To mitigate the above-mentioned challenges, we have created a PowerShell script. This script simplifies the tracking process, capturing member and owner additions or removals across all groups. Additionally, it retrieves the group name, UPN of the member added or removed, and the timestamp of the event. Let’s get started!
Download Script: AuditGroupMembershipChanges.ps1
Script Highlights
- The script exports 10+ group membership changes reports.
- The script can be executed with MFA-enabled accounts too.
- It exports audit results to CSV file format in the working directory.
- The script retrieves group membership changes log for 180 days, by default.
- It allows you to obtain the audit reports for a custom period.
- It provides details on group members and owners added or removed.
- The script can retrieve external users’ membership changes across groups.
- It audits membership modifications done by a specific user.
- The script tracks membership changes in sensitive groups.
- It automatically installs the EXO module upon your confirmation.
- The script is scheduler-friendly i.e., Credentials can be passed as a parameter.
- The script supports Certificate-based Authentication (CBA) too.
Sample Output
The script exports the audit report of group membership changes to CSV in the specified format:
How to Execute the ‘Audit Group Membership Changes’ Script?
- Download the provided PowerShell script and open it in Windows PowerShell.
- Execute the script using one of the following methods:
Method 1: You can execute the script for both MFA and non-MFA accounts using the following format.
1 |
.\AuditGroupMembershipChanges.ps1 |
The above script execution exports the group membership changes performed in the last 180 days.
Method 2: For an unattended approach, execute the script with the explicit credentials (Scheduler-friendly).
1 |
.\AuditGroupMembershipChanges.ps1 -UserName <UPN> -Password <Password> |
With this method, you can schedule the script using the task scheduler for non-MFA admin accounts. If the admin account utilizes multi-factor authentication, you can disable MFA through the Conditional Access policy for the successful execution of the scheduled script.
Method 3: For certificate-based authentication, execute the script using the following essential parameters.
1 |
.\AuditGroupMembershipChanges.ps1 -Organization <Domain> -ClientId <AppId> -CertificateThumbprint <CertThumbPrint> |
To run this PowerShell script with the certificate-based credentials, register an app in Entra ID. You can use either a certificate issued by Certificate Authority or create a self-signed SSL certificate, which is often preferred by many admins for internal scenarios.
Audit Group Membership Changes in Microsoft 365 Using PowerShell
This PowerShell script helps to track group activity changes by enabling the following operations.
- Audit group membership/ownership changes in the last 180 days
- Track group membership changes between a custom period
- Retrieve groups’ user membership changes alone
- Get a history of owner changes in groups
- Find external users added to or removed from groups
- Audit membership changes in sensitive groups
- Track membership changes performed by a user
- Export more granular group membership audit reports
1. Audit Group Membership/Ownership Changes in the Last 180 days
To generate the group membership activities performed throughout the organization, just execute the script without any parameters.
1 |
.\AuditGroupMembershipChanges.ps1 |
This will export any changes made to group members and owners within your Microsoft 365 environment over the last 180 days.
While the execution retrieves group membership changes in all M365 groups, you can also audit SharePoint online group membership using PowerShell.
2. Track Group Membership Changes Within a Custom Period
While this script has the capability to export data for the past 180 days, you can filter and export results for a specific shorter span. To achieve this, utilize the StartDate and EndDate parameters. In case of a security incident, analyzing user membership changes around the time of the incident can help identify potential entry points.
1 |
.\AuditGroupMembershipChanges.ps1 -StartDate 01/31/2024 -EndDate 02/29/2024 |
The above execution will export the group membership and ownership audit log for the period from 31st January 2024 to 29th February 2024.
3. Retrieve Groups’ Membership Changes Alone
By focusing on membership changes within groups each user belongs to, rather than tracking owner changes, organizations can effectively pinpoint user-specific modifications. This targeted approach facilitates prompt removal of users from groups and mitigates the risk of unauthorized access.
1 |
.\AuditGroupMembershipChanges.ps1 -MembershipChangesOnly |
The execution of the script with the parameter “MembershipChangesOnly” as specified above will retrieve only the membership changes across all Microsoft 365 groups.
By understanding the Microsoft 365 groups a user is member of, admins can accurately assign permissions, monitor group activity, and ensure that sensitive data is protected effectively.
4. Get a History of Owner Changes in Microsoft 365 Groups
Like tracking membership changes in Microsoft 365 groups, you can monitor the owners added or removed from the groups. Monitoring group owner changes in Microsoft 365 helps you to ensure a smooth handover of administrative responsibilities.
1 |
.\AuditGroupMembershipChanges.ps1 -OwnershipChangesOnly |
The execution of the script with the parameter “OwnershipChangesOnly” will retrieve the Microsoft 365 group owner changes in the last 6 months.
Note: This script cannot be utilized to track ownership changes in distribution lists.
5. Find External Users Added to or Removed from Groups
Identifying the guests and external users added to groups enables the admins to maintain a more vigilant environment by addressing any potential unauthorized access. Using the parameter “ExternalUserChangesOnly” will list the external user manipulation in M365 groups.
1 |
.\AuditGroupMembershipChanges.ps1 -ExternalUserChangesOnly |
The above format will export all the external users and guests added to or removed from all the groups in the last 6 months as a CSV file.
Additionally, you can audit external user activities in Microsoft 365 to detect and respond to any suspicious activity.
6. Audit Membership Changes in Sensitive Groups
In Microsoft 365, auditing membership changes are especially essential for groups that contain sensitive data, resources, or privileged access. Auditing membership changes in such groups helps to track who added or removed members, ensuring group compliance and identifying unauthorized additions. To retrieve the group membership changes in a particular group use the “GroupName” parameter as described here.
1 |
.\AuditGroupMembershipChanges.ps1 -GroupName “Governing Board Members” |
The above execution will retrieve the membership activities performed in the group named ‘Governing Board Members’ for the last 180 days.
You can also pass the group’s GUID by using the “GroupId” param. For example,
1 |
.\AuditGroupMembershipChanges.ps1 -GroupId “c4b3b726-7790-4557-a400-b3d18973185b" |
7. Track Group Membership Changes Performed by a Specific User
As a Microsoft 365 admin, you can monitor ownership changes and membership changes performed by any individual. This empowers the investigation of potential security concerns if any suspicious activity is identified.
1 |
.\AuditGroupMembershipChanges.ps1 -PerformedBy David@contoso.com |
This format will export a CSV file that contains details on the group members or owners added or removed by David.
8. Export More Granular Group Membership Audit Reports
While the above executions provide valuable insights into group membership activities for various use cases, the script’s capabilities are not limited. By combining different parameters, you can generate more granular reports that perfectly align with your specific requirements. Here are some examples of granular audit reports that can be generated using this script.
• To monitor the group membership changes (owners as well as members) performed in a particular group by a specific user, use the below execution.
1 |
.\AuditGroupMembershipChanges.ps1 -PerformedBy David@contoso.com -GroupName “Governing Board Members” |
This format will export only the membership changes performed by David in the ‘Governing Board Members’ group in the last 180 days.
• To track ownership changes performed by a specific user, run the script as shown below.
1 |
.\AuditGroupMembershipChanges.ps1 -PerformedBy David@contoso.com -OwnershipChangesOnly |
The above execution will retrieve the ownership changes performed by David in all groups.
• To monitor the group membership/ownership changes that took place in a specific group within a custom time range, use the execution provided below.
1 |
.\AuditGroupMembershipChanges.ps1 -StartDate 02/01/2024 -EndDate 02/29/2024 -GroupName “Governing Board Members” |
The above execution will export the membership and ownership that took place in the ‘Governing Board Members’ group for the period from 1st Feb 2024 to 29th Feb 2024.
Similarly, you can combine multiple parameters to retrieve more granular audit reports.
AdminDroid – Monitor Microsoft 365 Group Activities for Free!
However, the PowerShell script helps to audit group membership changes with various filters, admins may seek tools with additional features and options. If you’re in such a scenario, then AdminDroid is the best choice since it offers overall reporting for Microsoft 365 with customization and graphical representation.
AdminDroid offers a variety of free Microsoft 365 groups reports to effectively manage and monitor groups across your organization.
- All groups report
- Group membership report
- Nested groups report
- Distribution groups and membership report
- Mail-enabled groups and security groups
- Cloud groups and synced groups
- Empty groups and groups size by member count and more
Microsoft 365 group auditing reports
- Audit group creations
- Track group properties changes
- Monitor group membership changes
- Monitor ownership changes
- Identify group license changes
- Find deleted groups and more
The free Azure AD auditing tool offers vast collections of insights that track changes taking place in your Microsoft 365. With this, you can monitor user logins, user activities, group activities, password changes, application activities, etc. Moreover, the Azure AD reporting tool helps you visualize the current summary of M365 users, groups, managers, subscriptions, and licenses.
Besides Entra ID management with 120+ FREE reports, AdminDroid extends its capabilities to cover all Microsoft 365 services with 1800+ pre-built reports and 30+ dashboards. AdminDroid M365 reporting tool offers a premium edition FREE for 15 days, featuring comprehensive features such as reporting, auditing, analytics, and security & compliance.
For your Microsoft 365 reporting and auditing needs, download AdminDroid today and witness how it can assist you.
If you need clarification or have any doubts about obtaining more granular reports to audit group membership changes, reach out to us through the comments section. Stay tuned with o365reports for more insightful Microsoft 365 administrative blogs and guides!