🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Azure AD

How to Audit User Account Creations in Microsoft 365

Struggling to track bulk user creations in your Microsoft 365 environment? This challenge can result in unintended consequences such as user accounts with excessive permissions or unnecessary licenses that increase both security risks and operational costs. But, no worries! This guide will show you how to audit user account creations effectively in Microsoft 365.

Solution 1
Solution 2
Solution 3
Solution 4
Solution 5
Important Tips
Errors and Resolution Steps
FAQs

Using Microsoft Entra Admin Center

Microsoft 365 Permission Required
Reports Reader Least Privilege
Global Admin Most Privilege
  • Log in to the Microsoft Entra admin center.
  • Navigate to Audit logs under Identity»Users»All users.
  • Click on the Activity filter and select Add user.
Using Microsoft Entra Admin Center
  • Here, you can audit all Microsoft 365 user creation activities for the past 30 days.

Using Microsoft Purview Compliance Portal

Microsoft 365 Permission Required
Reports Reader Least Privilege
Global Admin Most Privilege
  • Log in to the Audit page of Microsoft Purview portal.
  • Choose the desired Date and time range, then select Added user in the Activities - friendly names field and hit the Search button.
Using Microsoft Purview Compliance Portal
  • Once the search is completed, you can see all the M365 user creation audit activities that includes creation time, performed user, record type, and created user.

Using Windows PowerShell

Microsoft 365 Permission Required
Reports Reader Least Privilege
Global Admin Most Privilege
  • Connect to the Exchange Online module using the below cmdlet.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Run the below cmdlet to audit user account creations in Microsoft 365.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -StartDate MM/DD/YYYY -EndDate MM/DD/YYYY -Operations "Add user" -ResultSize 5000 | Where-Object { ($_.AuditData | ConvertFrom-Json).Operation -eq "Add user." } | ft
Using Windows PowerShell

Using PowerShell Script

Microsoft 365 Permission Required
Reports Reader Least Privilege
Global Admin Most Privilege
  • The cmdlet doesn’t directly retrieve the created user's name. To simplify this, we’ve created a PowerShell script that provides detailed information for effective tracking of user creation activities in Microsoft 365.
  • It generates a comprehensive report that lists all Microsoft 365 user account creations along with their details, allowing admins to see who created a user in M365.
  • It also tracks guest user creations, accounts created by service principals, user creation time, and more. This ensures complete visibility into all user creation events for better monitoring and management.
  • Download and run the following script in the Administrator PowerShell.
Using PowerShell Script
AuditM365UserCreations.ps1
AdminDroid Microsoft 365 User Auditing

The ultimate solution for tracking all user account creations in Microsoft 365!

AdminDroid's Microsoft 365 user auditing tool provides deep insights into user account creations, deletions, and user modifications that helps to enhance M365 user management.

Retrieve All M365 Users Report in Various Formats

Export Microsoft 365 users reports in various formats including guest users with details, such as sign-in status, licenses, and location for easy analysis and updates.

Monitor Recently Created Microsoft 365 Admins

Monitor recently created Microsoft 365 admin accounts and review their delegated privileges to prevent over-privileged access and reduce security risks.

Audit Recently Created Entra ID Users

Easily track newly created M365 users to detect unwanted or duplicate accounts and ensure that only legitimate users remain in your organization.

Automate M365 External User Creations Report

Receive scheduled reports on external user creation in M365 to quickly detect unnecessary accounts and enhance account oversight.

Get Alerts on New Microsoft 365 User Creation

With AdminDroid's alerting feature, receive instant notifications whenever a new Microsoft 365 user is created in your organization.

Check Microsoft 365 Disabled Users

Regularly audit disabled users in Microsoft 365 to determine whether to restore access or delete the accounts for efficient user management.

Thus, AdminDroid's Microsoft 365 Reporter provides detailed insights for auditing user creation activities with ease and precision. It helps admins track account creations, deletions, and license changes. This makes it easier to spot issues, ensure compliance, and maintain a secure and well-managed Microsoft 365 environment.

Explore a full range of reporting options
Download Live Demo

Important Tips

Review temporary admin access granted via Privileged Identity Management (PIM) and verify that no unauthorized users were created during the elevated access period.

Grant access to trusted service principals alone for Microsoft 365 user creations and validate their purpose to prevent unauthorized user provisioning in your organization.

Automate Microsoft 365 account creation with manager approval and activate accounts only after security checks like configuring MFA and setting strong passwords.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while tracking Microsoft 365 user account creations.

Error String was not recognized as a valid DateTime.

This error occurs when the start and end date are not correctly specified when executing the 'Search-UnifiedAuditLog' cmdlet in the PowerShell.

Fix Verify that the start and end date are in the 'MM/DD/YYYY' format.

Error Error with the inputs provided. Search duration is too long. Please select a date range of less than 6 months.
purview-search-more-than-six-mon-error

This error will occur in the Audit Log search of Purview compliance portal if the selected date and time range exceed the limit.

Fix In Microsoft Purview Audit (Standard), logs can only be retained for a maximum of 180 days. Specify a time range within this period.

Error ./AuditM365UserCreations.ps1 cannot be loaded because running scripts is disabled on this system.

The script encounters this error because the current execution policy is set to "Restricted", which blocks script execution.

Fix To resolve this error, execute the below cmdlet to set the execution policy as Unrestricted before running the script. 
Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Error The file you uploaded has one or more errors. Please correct them and upload again.
bulk-user-csv-error

This occurs when the CSV file contains invalid or incomplete data, such as missing required fields, incorrect formatting, or unsupported characters.

Fix Ensure the provided property values match the correct data types (e.g., Boolean, string, or string collection). Double-check and update any incorrect values to resolve the issue.

1. What happens if admins fail to monitor user creations in Microsoft 365?

Admins will face significant security issues if they fail to track the Microsoft 365 user creations in their organization. Here are some of the most critical ones to consider.

  • Privilege Escalation: Malicious insiders or attackers can create M365 accounts for themselves with elevated privileges. This enables them to escalate their access rights, potentially gaining unauthorized control over critical systems and sensitive data.
  • Suspicious/Unauthorized Account Creation: Attackers compromise an user account and can create unauthorized users that blend into regular operations. These accounts may be assigned with necessary licenses that mimic legitimate users and increase the risk of widespread security breaches.
  • Prone to Security Breaches: Microsoft 365 accounts created without essential security measures like multi-factor authentication (MFA) would expand the attack surface. These poorly managed accounts are highly vulnerable to password spray attacks and brute force attempts that will exploit your Microsoft 365 environment.
  • Compliance Violations: If admins don't monitor Microsoft 365 user creations and other M365 admin activities periodically, it will lead to non-compliance and violate security regulations. Thus, properly tracking these activities is essential for maintaining risk-free environment.
  • Lack of Accountability: Without regular auditing of Microsoft 365 user creations, it becomes difficult to trace who created each Entra ID account, when it was created, and for what purpose. This lack of visibility makes it difficult to investigate security incidents, enforce accountability, and take corrective actions when necessary.

2. How to track users created by a service principal in Microsoft 365?

In Microsoft 365, a service principal is a security identity used by applications and automated tools to access resources without a user account. When a service principal creates a user, it typically indicates an application or automated process, not an admin. Periodic tracking of this activity helps identify misconfigured applications, ensures compliance, prevents unauthorized privilege escalation, and maintains control over account creation.

Monitor user creation by a service principal in Microsoft Purview portal

  • Navigate to the Microsoft Purview compliance portal.
  • Go to Audit»Audit log search, then select Added user from the Activities - friendly names dropdown.
  • From the audit log results, look for entries where 'User' is listed as a service principal.
service-principal-user-creation-audit-logs

Audit M365 user creation by a service principal using PowerShell

While Microsoft Purview offers detailed audit logs for Microsoft 365 user creations, those are not user-friendly for admins. Instead, admins can use the PowerShell script below to easily identify user accounts created by service principals in their tenant.

Connect to the Exchange Online PowerShell module using the below cmdlet.

Connect-ExchangeOnline

Run the following script with the appropriate start date & end date to get the Microsoft 365 user accounts created by service principals.

Search-UnifiedAuditLog -StartDate MM/DD/YYYY -EndDate MM/DD/YYYY -Operations "Add user" -ResultSize 5000 | Where-Object { ($_.AuditData | ConvertFrom-Json).Operation -eq "Add user." } | ForEach-Object {
    $auditData = ConvertFrom-Json $_.AuditData
    [PSCustomObject]@{
        CreationDate = $auditData.CreationTime
        UserId       = $auditData.UserId
        User         = $auditData.ObjectId
        Operation    = $auditData.Operation
    }
} | Format-Table -AutoSize
service-principal-user-creation-output
  • What role does Microsoft Substrate Management play in user creation? Microsoft Substrate Management is a foundational service in Microsoft 365 that facilitates dual-write operations between Exchange Online and Azure Active Directory (AAD). When a mailbox is created directly in Exchange Online, the corresponding user account in AAD may be created by this service principal. While it primarily ensures synchronization and consistency across services, any user accounts created by it will also appear in audit logs, similar to those created by other service principals.

3. How to manage bulk user account creations on Microsoft 365?

Bulk user account creation is crucial for efficient Microsoft 365 administration, especially when handling numerous accounts during employee onboarding or in large organizations. Admins can add M365 users in bulk using manual input or CSV file uploads.

Method 1: Add multiple users via M365 admin center

  • Sign in to the Microsoft 365 admin center using your admin credentials.
  • In the left navigation pane, select Users»Active users and click Add multiple users.
  • Enter user information. Fill in the required details for each user, such as first name, last name, and email address and click Next.
  • On the next page, assign licenses to the users by selecting from the available options and clicking Next.
  • Review the user accounts and click Add users to create them.

Method 2: Add bulk users by uploading a CSV File in Microsoft 365 admin center

  • Instead of manually adding each users' info, select I'd like to upload a CSV with user information.
  • Download the blank CSV file with the required headers if you are unsure about the format.
  • Enter the necessary information for each user in the corresponding columns of the CSV file.
  • Upload the saved CSV file and click Next. The next two steps are the same as the previous method:
    • Assign the desired licenses.
    • Review the user information and confirm to create the bulk users.
m365-admin-center-add-bulk-user

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Azure AD
How to Audit User Account Creations in Microsoft 365
Azure AD Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo