In Microsoft 365, monitoring changes to group memberships is vital for maintaining security and compliance. Whether it's tracking who added or removed users from groups, or auditing specific user actions, the combination of Get-MgUser
and Get-MgAuditLogDirectoryAudit
cmdlets enables administrators to efficiently monitor and audit directory activities. This article walks you through a practical example of using these cmdlets together to monitor group membership changes initiated by a specific user.
The following script retrieves group membership changes (additions or removals) made by a specific user within the past 7 days:
# Specify the user for whom you want to monitor group membership changes
$userPrincipalName = "john.doe@yourdomain.com"
# Retrieve the user's Object ID using Get-MgUser
$userId = (Get-MgUser -UserId $userPrincipalName -Property "id").Id
# Set the date range for the audit logs (Last 7 days)
$startDate = (Get-Date).AddDays(-7).ToString("yyyy-MM-ddTHH:mm:ssZ")
$endDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")
# Retrieve directory audit logs for group membership changes
$auditLogs = Get-MgAuditLogDirectoryAudit -Filter "initiatedBy/user/id eq '$userId' and (activityDisplayName eq 'Add member to group' or activityDisplayName eq 'Remove member from group') and activityDateTime ge $startDate and activityDateTime le $endDate"
# Format and display the audit logs
$auditLogs | Select-Object Id, ActivityDisplayName, TargetResources, LoggedByService, ActivityDateTime
activityDateTime ge
and activityDateTime le
) to narrow down results and avoid overloading the query.-Filter
parameter to include only relevant activities such as Add member to group or Remove member from group to focus on group membership changes.Export-Csv
cmdlet to save logs for further analysis or reporting:
$auditLogs | Export-Csv -Path "GroupMembershipChanges.csv" -NoTypeInformation
if (-not $auditLogs) {
Write-Host "No audit logs found for the specified criteria."
}
AuditLog.Read.All
and User.Read.All
, to minimize security risks.Error | Cause | Solution |
Insufficient privileges to complete the operation. | Missing permissions like AuditLog.Read.All . |
Grant the required permissions to the account or app in Azure AD. |
Invalid filter clause. | Syntax error in the -Filter parameter. |
Verify the filter syntax and ensure properties like initiatedBy/user/id and activityDisplayName are correct. |
No audit logs found for the specified criteria. | The user did not perform any relevant actions during the specified time period. | Expand the date range or refine the filter to capture additional activities. |
Using Get-MgUser
with Get-MgAuditLogDirectoryAudit
empowers administrators to monitor and audit group membership changes efficiently. By combining these cmdlets, you can track user-initiated changes, generate compliance reports, and enhance your organization's security posture. Start implementing this script today to streamline your monitoring and auditing workflows.
© m365corner.com. All Rights Reserved. Design by HTML Codex