Get All Microsoft 365 Users Restored in the Last Month

Keeping track of administrative actions in Microsoft 365 is crucial for maintaining security and compliance. One such important action is user restoration where administrators restore deleted user accounts. This article provides a PowerShell script to track which admins performed user restoration activities within the last 30 days using the Microsoft Graph PowerShell module.


PowerShell Script

Here is the PowerShell script to fetch and display the list of admins who performed user restoration activities in the past 30 days:

# Ensure the Microsoft.Graph module is installed and imported
Install-Module -Name Microsoft.Graph -Force -AllowClobber
Import-Module Microsoft.Graph

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "AuditLog.Read.All"

# Calculate the date 30 days ago from today
$DateThreshold = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")

# Fetch directory audit logs for user restoration activities
$AuditLogs = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Restore user' and activityDateTime ge $DateThreshold"

# Extract and display relevant information
$AuditLogs | ForEach-Object {
    $targetResource = $_.TargetResources | Where-Object { $_.Type -eq 'User' }
    [PSCustomObject]@{
        ActivityDisplayName     = $_.ActivityDisplayName
        ActivityDateTime        = $_.ActivityDateTime
        AdminDisplayName        = $_.InitiatedBy.User.DisplayName
        AdminUserPrincipalName  = $_.InitiatedBy.User.UserPrincipalName
        TargetUserPrincipalName = $targetResource.UserPrincipalName
    }
} | Format-Table -AutoSize

Script Output


Script Explanation

Install and Import the Microsoft.Graph Module

Ensures the Microsoft.Graph module is installed and imported enabling interaction with the Microsoft Graph API through PowerShell.

Connect to Microsoft Graph

Uses Connect-MgGraph to authenticate and establish a connection to the Microsoft Graph API with the required permissions to read audit logs.

Calculate Date Threshold

Computes the date 30 days ago from the current date in the required format using Get-Date and AddDays(-30).

Fetch Directory Audit Logs

Uses Get-MgAuditLogDirectoryAudit to fetch directory audit logs with the activityDisplayName of 'Restore user' and an activityDateTime within the last 30 days.

Extract and Display Relevant Information

Iterates through each audit log entry to extract and display the relevant information including:

  • ActivityDisplayName: The display name of the activity.
  • ActivityDateTime: The date and time the activity was performed.
  • AdminDisplayName: The display name of the admin who performed the action.
  • AdminUserPrincipalName: The user principal name of the admin who performed the action.
  • TargetUserPrincipalName: The user principal name of the target user who was restored.

Use Cases

  • Security Auditing: Regularly monitor administrative actions to ensure compliance with security policies.
  • Incident Response: Quickly identify who restored a user account in case of a security incident.
  • Reporting: Generate reports on administrative activities for management review.
  • Automation: Integrate with automated workflows to trigger alerts or actions based on specific administrative activities.

Possible Errors & Solutions

Error: Insufficient Permissions

Connect-MgGraph : Exception of type 'Microsoft.Graph.Auth.AuthException' was thrown.

Solution:

  • Ensure you have the necessary permissions (AuditLog.Read.All) granted in your Microsoft Graph app registration.
  • Verify that your credentials are correct and you have the appropriate access rights.

Error: Invalid Filter Clause

Get-MgAuditLogDirectoryAudit : Invalid filter clause.

Solution:

  • Ensure the filter clause is correctly formatted and uses supported properties. Review the Microsoft Graph API documentation for the correct filter syntax.

Error: Throttling

Too many requests error.

Solution:

  • If you encounter throttling issues, consider implementing retry logic in your script or running the script during off-peak hours.

Conclusion

Tracking administrative actions such as user restoration in Microsoft 365 is essential for maintaining security and compliance. Using the Microsoft Graph PowerShell module, administrators can efficiently monitor and report on these activities. This script provides a straightforward solution to track which admins restored users within the last 30 days, helping organizations ensure accountability and transparency in their administrative actions.


Related Articles:

Using Get-MgDirectoryRole in Graph PowerShell
Using Get-MgUserLicenseDetail in Graph PowerShell
Using Find-GraphMgCommand in Graph PowerShell
Connect to Microsoft 365 Using PowerShell
How to Create Bulk Users in Office 365 Using Graph PowerShell?
Create Microsoft 365 Group Using Microsoft Graph PowerShell
Block Microsoft 365 User Using Microsoft Graph PowerShell
Assign Microsoft 365 License Using Graph PowerShell
Microsoft 365 User Management Using Graph PowerShell
Checking Group Membership in Microsoft 365
Bulk Assign Microsoft 365 License
Find Inactive Users in Microsoft 365
Using Powershell Graph Search Query
Using Powershell Graph Filter Query
Using Where-Object In Graph PowerShell
Using Expand Property In Graph PowerShell
Using Select Object In Graph PowerShell
Using -Contains Operator In Graph PowerShell
Add User to Multiple Microsoft 365 Groups Using Graph PowerShell
Get Microsoft 365 User Location Using Graph PowerShell
Import Microsoft 365 Groups from CSV File Using Graph PowerShell
Microsoft 365 Group User Import Using Graph PowerShell

© m365corner.com. All Rights Reserved. Design by HTML Codex