Track Enabled User Accounts in Microsoft 365 Using Graph PowerShell
Enabling user accounts in Microsoft 365 is a common administrative action—whether you're reactivating a previously disabled user or enabling a newly created one. For compliance, auditing, or operational visibility, it’s crucial to track who enabled which user, when, and whether the action succeeded.
In this article, we’ll walk through a Graph PowerShell script that queries the audit logs to retrieve all "Enable account" actions in your tenant and lists the relevant details.
The Script
# Connect to Microsoft Graph with required scopes
Connect-MgGraph -Scopes "AuditLog.Read.All", "User.Read.All"
# Set the time window (last 30 days max for audit logs)
$startDate = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")
# Fetch audit logs for 'Enable account' actions under 'UserManagement' category
$enabledUsers = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Enable account' and category eq 'UserManagement' and activityDateTime ge $startDate" -All
# Format and display results
$results = foreach ($log in $enabledUsers) {
[PSCustomObject]@{
"Enabled Time" = ($log.ActivityDateTime).ToLocalTime()
"Enabled User (UPN)" = $log.TargetResources[0].UserPrincipalName
"Enabled By (UPN)" = $log.InitiatedBy.User.UserPrincipalName
"Result" = if ($log.Result -eq "success") { "Success" } else { "Failure" }
}
}
# Display the output in table format
$results | Format-Table -AutoSize
How the Script Works
This script makes use of Microsoft Graph PowerShell to retrieve audit logs for specific actions:
- Connects to Microsoft Graph using the required scopes:
- AuditLog.Read.All
- User.Read.All
- Defines a time window of 30 days (maximum allowed for audit log retention via Graph API).
- Queries directoryAudit logs using the filter:
- activityDisplayName eq 'Enable account'
- category eq 'UserManagement'
- Extracts key details from each log:
- ActivityDateTime: When the account was enabled.
- TargetResources[0].UserPrincipalName: The user who was enabled.
- InitiatedBy.User.UserPrincipalName: The admin who performed the action.
- Result: Whether the action was successful or failed.
- Displays the data neatly using Format-Table.
Further Enhancements
Here are a few ideas to extend the script for broader auditing/reporting:
- Export to CSV Export results to a CSV file for documentation or audit trail:
$results | Export-Csv -Path "EnabledUsersReport.csv" -NoTypeInformation$results | Where-Object { $_."Enabled By (UPN)" -like "*admin.contoso.com" }Use Cases
- Compliance Auditing: Maintain a record of who enabled which accounts and when.
- Security Investigations:Check for unauthorized or unexpected re-enablement of user accounts.
- User Lifecycle Monitoring: Understand patterns around account management and reactivation.
- Change Management: Document administrative actions for change tracking.
Possible Errors & Solutions
| Error | Cause | Solution |
| Access Denied | Insufficient Graph API permissions | Ensure the account has AuditLog.Read.All and User.Read.All. |
| No Results Returned | No 'Enable account' actions in the past 30 days | Adjust the date filter or confirm recent activity. |
| TargetResources[0] is null | Missing expected fields in log | Add null checks or use DisplayName as a fallback. |
| Connect-MgGraph not recognized | Microsoft Graph module not installed | Install the module using Install-Module Microsoft.Graph -Scope CurrentUser |
Conclusion
Tracking when and by whom user accounts are enabled is vital for maintaining operational integrity and security in Microsoft 365. With this simple yet powerful Graph PowerShell script, you can gain full visibility into "Enable account" actions across your tenant.
Whether you need it for compliance reporting, operational monitoring, or forensic investigation, this script provides a solid foundation you can customize and build upon.