Fetch "Add Member to Group" Audit Events Using Graph PowerShell

Microsoft 365 administrators often need to track who added which members to which groups—especially for compliance, auditing, or operational reviews. In this article, we present a Graph PowerShell script that fetches audit log entries for the "Add member to group" event and displays key information such as Added Time, Group Name, Added User, Added By, and Operation Type.

• Added Time
• Group Name
• Operation
• Added Owner (Target UPN)
• Added By (Actor UPN)
• Result

i) The Script - Fetch Group Member Assignment Events with Details

# Connect to Microsoft Graph with necessary permissions
Connect-MgGraph -Scopes "AuditLog.Read.All", "Group.Read.All"
                                
# Define the URI to fetch audit logs for "Add member to group" events
$uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits" +
"?`$filter=activityDisplayName eq 'Add member to group' and category eq 'GroupManagement'" +
"&`$orderby=activityDateTime desc"
                                
# Make the API request
$response = Invoke-MgGraphRequest -Method GET -Uri $uri
                                
# Prepare the results collection
$results = @()
                                
# Iterate over each audit log entry
foreach ($entry in $response.value) {
try {
$addedTime = $entry.activityDateTime
$operation = $entry.activityDisplayName
$actorUPN  = $entry.initiatedBy.user.userPrincipalName
                                
$groupId = ""
$groupName = ""
$addedUserUPN = ""
                                
# Parse target resources
foreach ($target in $entry.targetResources) {
if ($target.type -eq "Group" -and $target.id) {
$groupId = $target.id
}
if ($target.type -eq "User" -and $target.userPrincipalName) {
$addedUserUPN = $target.userPrincipalName
}
}

# Resolve group name using groupId
if ($groupId) {
try {
$group = Get-MgGroup -GroupId $groupId -Property DisplayName -ErrorAction Stop
$groupName = $group.DisplayName
} catch {
$groupName = "[Unknown Group]"
}
}
                                
# Add result to output collection
$results += [PSCustomObject]@{
'Added Time'   = $addedTime
'Group Name'   = $groupName
'Operation'    = $operation
'Added User'   = $addedUserUPN
'Added By'     = $actorUPN
}
} catch {
Write-Warning "Error processing entry: $($_)"
}
}
                                
# Output the results
if ($results.Count -eq 0) {
Write-Host "No 'Add member to group' events found in audit logs." -ForegroundColor Yellow
} else {
$results | Sort-Object 'Added Time' -Descending | Format-Table -AutoSize
}
                            

ii) How the Script Works

1. Connects to Microsoft Graph using the Connect-MgGraph cmdlet with AuditLog.Read.All and Group.Read.All scopes.
2. Queries audit logs using Invoke-MgGraphRequest to filter logs where the activityDisplayName equals "Add member to group".
3. Parses each log entry to extract:
• The time of the action.
• The group ID and the member added.
• The actor who performed the action.
4. Resolves the group name using the Get-MgGroup cmdlet by passing the group ID.
5. Outputs the results in a neatly formatted table.

iii) Further Enhancements

• Export to CSV

$results | Export-Csv "AddedGroupMembers.csv" -NoTypeInformation

• Add date filtering to query only events within a specific time range.
• Add pagination support if more than 100 records are expected.
• Email alerts for new member additions to sensitive groups.

iv) Possible Errors & Solutions

Error	Cause	Solution
Insufficient privileges to access audit logs	Missing delegated permissions	Ensure you use AuditLog.Read.All and Group.Read.All scopes
Cannot retrieve group display name	The group might have been deleted	Display placeholder text like [Unknown Group]
Invoke-MgGraphRequest returns empty	No matching events	Adjust filters or ensure logging is enabled for group management

v) Use Cases

• Security Monitoring: Detect unauthorized member additions to critical Microsoft 365 groups.
• Compliance Audits Generate reports for auditing purposes.
• Operational Oversight: Help IT teams review group membership changes periodically.
• Delegated Access Tracking: Ensure only approved administrators are managing group memberships.

vi) Conclusion

Tracking “Add member to group” actions is essential for security and compliance in Microsoft 365 environments. With Microsoft Graph PowerShell and audit logs, administrators gain deep visibility into such changes.

This script empowers you to instantly review who added whom to which group, when, and under what context—simplifying audit readiness and operational clarity.