M365Corner
PowerShell

Fetch Recently Updated Users Using Graph PowerShell

Tracking user account modifications in Microsoft 365 is crucial for security, compliance, and troubleshooting. With Microsoft Graph PowerShell, administrators can query Azure AD audit logs to fetch recently updated users, along with details about when the update occurred and who performed it.

In this article, we will explore a Graph PowerShell script that helps identify all recently updated users in your organization.


The Script

Below is a Graph PowerShell script that queries Azure AD audit logs to fetch all recently updated users. The script displays:

  • Updated Time (when the change occurred)
  • Updated User (whose account was updated)
  • Updated By (who made the update)
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "AuditLog.Read.All"
                                
# Define the date range (fetch updates from the last 7 days)
$startDateTime = (Get-Date).AddDays(-7).ToString("yyyy-MM-ddTHH:mm:ssZ")
                                
# Fetch all DirectoryAudit logs related to 'Update user' in the past 7 days
$updatedUsersLogs = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Update user' and activityDateTime ge $startDateTime"
                                
# Create an array to store the results
$updatedUserDetails = @()
                                
# Loop through the audit logs to extract relevant details
foreach ($event in $updatedUsersLogs) {
    $updatedTime = $event.ActivityDateTime
    $updatedUser = ($event.TargetResources | Where-Object { $_.UserPrincipalName }).UserPrincipalName
    $updatedBy = $event.InitiatedBy.User.UserPrincipalName
                                    
    # Create an object for each updated user record
        $userDetail = [pscustomobject]@{
        "Updated Time"  = $updatedTime
        "Updated User"  = $updatedUser
        "Updated By"    = $updatedBy
    }

    # Add the object to the results array
    $updatedUserDetails += $userDetail
}
                                
# Display results in a tabular format
if ($updatedUserDetails.Count -eq 0) {
    Write-Host "No updated user events found in the last 7 days."
} else {
    $updatedUserDetails | Format-Table -AutoSize
}

How the Script Works

  1. Connects to Microsoft Graph – The script requires AuditLog.Read.All permissions to retrieve user audit logs.
  2. Defines a date range – By default, the script fetches updated users from the last 7 days (modifiable by changing AddDays(-7)).
  3. Queries audit logs – The Get-MgAuditLogDirectoryAudit cmdlet retrieves logs where "Update user" is recorded as an activity.
  4. Extracts relevant details – The script pulls:
    • Updated Time (when the change happened)
    • Updated User (whose details were changed)
    • Updated By (who performed the update)
  5. Displays results – If updates exist, they are shown in a neatly formatted table; otherwise, the script returns a message indicating no updates.

Further Enhancing the Script

Here are some ways to extend the script’s capabilities:

  1. Modify the Date Range

    2. To check for updates over a longer period, adjust the date filter:

    $startDateTime = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")  # Last 30 days
  2. Export Results to a CSV File

    3. If you need to store or analyze the data, export it:

    $updatedUserDetails | Export-Csv -Path "UpdatedUsers.csv" -NoTypeInformation
  3. Filter by Specific Users

    4. To track changes to a specific user, modify the filter:

    $updatedUsersLogs = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Update user' and initiatedBy/user/userPrincipalName eq 'admin@domain.com'"

Use Cases

This script is valuable in multiple administrative scenarios:

  • Security Audits – Track who modified user accounts and when the change happened.
  • Compliance Monitoring – Ensure that user changes comply with organizational policies.
  • Troubleshooting Account Issues – Identify if a recent change is affecting a user’s access.
  • User Management Reviews – Review all modifications to ensure they were intentional and authorized.

Possible Errors & Solutions

Error Cause Solution
Get-MgAuditLogDirectoryAudit : Access Denied The account running the script lacks the required permissions. Ensure you have the AuditLog.Read.All permission. Run: Connect-MgGraph -Scopes "AuditLog.Read.All"
No updated user events found in the last 7 days. No user updates were recorded in the given time frame. Increase the date range by modifying AddDays(-7) to AddDays(-30).
The term 'Get-MgAuditLogDirectoryAudit' is not recognized. Microsoft Graph PowerShell module is not installed. Install it using: Install-Module Microsoft.Graph -Scope CurrentUser

Conclusion

Tracking user modifications in Microsoft 365 is essential for security, compliance, and troubleshooting. This Graph PowerShell script provides an easy way to fetch recently updated users, highlighting when updates occurred and who performed them.

By customizing the script to your needs, you can enhance your audit logs analysis, improve security monitoring, and optimize user management workflows.

Try it out today and take control of your Microsoft 365 user management!


Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex