🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Azure AD

How to Get Group Audit Report in Microsoft 365

Microsoft 365 groups are key to seamless communication and collaboration. However, they also come with certain challenges, including unauthorized access & data leaks, and can lead to wasted resources if not managed well. Microsoft 365 group auditing is crucial, providing vital insights into group operations and enhancing security. Discover effective strategies to audit groups in Microsoft 365.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Using Microsoft Entra Admin Center

Microsoft 365 Permission Required
Global Admin, User Admin, or Groups Admin.
  • Login to the Microsoft Entra admin center.
  • Go to Identity»Groups and select All Groups.
  • Under Activity, click Audit logs.
  • In the group audit logs, you can see all group actions like creation, deletion, and modification.
Using Microsoft Entra Admin Center

Using Microsoft Purview Compliance Portal

Microsoft 365 Permission Required
Global Admin, User Admin, or Groups Admin.
  • Sign in to the Microsoft Purview compliance portal.
  • Navigate to the Audit tab under the Solutions section.
  • Choose the Microsoft Entra group administration activities that you need under Activities – friendly names and perform a search.
  • In this case, an audit log query was used to track group additions, showing all added groups in the specified period.
Using Microsoft Purview Compliance Portal

Using Windows PowerShell

Microsoft 365 Permission Required
Global Admin, User Admin, or Groups Admin.
  • Connect to Exchange Online PowerShell.
  • Use the cmdlet below to export all Microsoft 365 groups created in your organization during a specified period.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -StartDate 12/12/23 -EndDate 03/08/24 -Operations "Add group"
  • Customize the Operations parameter to retrieve any additional operations you need for Azure AD groups.
Using Windows PowerShell
AdminDroid Azure AD Reporter

Elevate Microsoft Entra ID Group Monitoring to New Heights!

AdminDroid Azure AD reporting enhances group monitoring with its in-depth Microsoft 365 group reports. It delivers detailed insights into various group types, including distribution, security, nested, mail-enabled groups, and more. This simplifies administration and provides a clear view of your Microsoft 365 group management tasks.

Instant Alerts for Group Activities

Stay informed and act quickly on security incidents with AdminDroid's real-time alerts for activities like unexpected group membership changes, oversharing, etc.

Optimize Group Auditing with Delegation

Divide Microsoft 365 group auditing tasks among specific admins with granular access delegation, ensuring more accurate monitoring and reducing the risk of errors.

A Complete Overview of Your Microsoft 365 Groups

Explore the Office 365 groups section to gain detailed insights into group usage trends, activity trends, active groups, etc.

Fine-Tune Group Reports with Advanced Filters

Customize your group reports with advanced filters, merge columns, and sort options. Additionally, export group audit reports in multiple formats to simplify your workflow.

Automate Group Audits with AdminDroid Scheduling

With AdminDroid's straightforward scheduling feature, forget the hassle of group auditing manually and have the reports delivered straight to your inbox!

Visualize Microsoft 365 Groups with Dedicated Dashboards

Discover a dedicated part within Azure AD dashboards tailored for groups, offering at-a-glance insights into total groups, empty groups, deleted groups, and more.

In conclusion, auditing Microsoft 365 groups is key for security, compliance, and effective use. AdminDroid offers a wide range of reports that enable efficient auditing of your Microsoft Entra ID groups. With its unique capabilities and advanced features, AdminDroid makes both group monitoring and Azure AD management effortless!

Explore a full range of reporting options
Download Live Demo

Important Tips

Enable unified audit logs either through the Microsoft portal or using PowerShell to closely track M365 group activities, ensuring thorough oversight.

Enhance security with PIM for groups in Microsoft 365, providing just-in-time access and access reviews to reduce unauthorized usage.

Configure self-service group management in Microsoft Entra ID for user-managed groups, reducing admin workload in your organization.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints for the Microsoft 365 groups audit report.

Error String was not recognized as a valid DateTime.

This error occurs when the start and end dates are not correctly specified while performing an audit log search in PowerShell.

Fix Specify the start and end dates using the format that matches your PowerShell settings, such as "MM/DD/YYYY". 
Search-UnifiedAuditLog -StartDate 12/12/2023 -EndDate 03/08/2024 -Operations "Add group"

Error Audit log search argument startDate (12/12/2024 12:00:00 AM) is later than endDate (03/08/2024 12:00:00 AM).

This error indicates that the startDate specified in the audit log search command is set to a later date than the endDate, which is not logically possible for a time-bound search.

Fix Ensure that the start date is earlier than the end date.

Error The cmdlet does not provide any output.

This error occurs when no group-related operations are performed within the specified duration or when the audit log search is disabled.

Fix Enable audit log search and verify that group-related operations occurred within the specified timeframe. 
Set-AdminAuditLog -UnifiedAuditLogInvestigationEnabled $true

Error A positional parameter cannot be found that accepts the argument 'group'.

This error occurs when the operation name is not correctly specified in the PowerShell cmdlet.

Fix Use the exact operation name (e.g., "Add group") instead of friendly names (e.g., "Added group") within double quotes to avoid this error. 
Search-UnifiedAuditLog -StartDate 12/12/2023 -EndDate 03/08/2024 -Operations "Add group"

Error The required module 'Microsoft.Graph.Authentication' with version '2.9.1' is not loaded.

This error occurs when the required Microsoft Graph PowerShell module, 'Microsoft.Graph.Authentication' version '2.9.1', is not imported into the PowerShell session.

Fix First, verify if the 'Microsoft.Graph.Authentication' module and its required version (2.9.1) are installed. You can check this using the "Get-Module" cmdlet. If the module is not installed, you can install it using the following cmdlet: 
Install-Module -Name Microsoft.Graph.Authentication -RequiredVersion 2.9.1 -Scope CurrentUser
// If the module is already installed, import it into your current PowerShell session with: 
Import-Module Microsoft.Graph.Authentication
Azure AD
Frequently Asked Questions

Audit All Groups for Effective User Management in Microsoft 365

How to find who created a Microsoft 365 group?
How to monitor group-based license changes?
How to manage group members in Azure AD?
How to manage Microsoft 365 group owners?
How to manage guest membership in Microsoft 365 groups?
How to manage who can create Microsoft 365 groups?

1. How to find who created a Microsoft 365 group?

As an admin, knowing who created a Microsoft 365 group helps you keep things tidy and avoid too many groups cluttering up your space.

To find a user who created a Microsoft 365 group, you can simply follow the steps below.

See Who Created a Group Using Microsoft 365 Admin Center

  • Login to the Microsoft 365 admin center.
  • Go to 'Active Teams & groups' under the 'Teams & groups' section.
  • Select the Microsoft 365 group you're interested in.
  • Look for the 'Other info' section in the 'General' tab.
  • Here, you'll see the date and time the group was created, who created it, and the portal through which it was created.
find-who-created

Use Microsoft 365 Audit Log Search to Find Who Created a Group

  • Sign in to the Microsoft Purview compliance portal.
  • Navigate to Solutions»Audit»Activities - friendly names»Microsoft Entra group administration activities.
  • This search displays all the users who created groups in Microsoft 365. However, it lists the groups by their IDs instead of group names. This will be challenging to identify groups and understand their purpose quickly.
Are you looking for a simpler way to find out who created a Microsoft 365 group?

Fortunately, with AdminDroid, identifying users who created a Microsoft 365 group is a breeze.

  • Navigate to Audit»Azure AD»Group Audit»Created Groups report.
  • Additionally, the 'Created by' filter within the report simplifies the process further, allowing you to easily sort and view groups created by a specific user.
created-groups-filter-edited

Here's a handy tip: Once you've set your filters, you can save them as your own custom view. This way, you won't have to set up the filters again every time. Plus, if you need the information locally or in your inbox, you can easily export the report into a CSV file.

2. How to monitor group-based license changes?

Microsoft 365 group-based licensing lets admins assign licenses to a group, and group members will automatically inherit the licenses. However, tracking changes to group licenses, such as additions and removals, can be difficult, which leads to compliance issues and inefficiencies in group license management.

Monitoring group-based license changes is crucial for several reasons:

  • Ensuring that users have the correct licenses to maintain compliance with licensing agreements and prevent any potential legal or financial issues.
  • Monitoring license changes can help identify unused or underutilized licenses, allowing organizations to optimize costs by reallocating licenses whenever needed.

Unfortunately, Microsoft doesn't provide any straightforward method to view group-based license changes. Thus, it's challenging for admins to track and understand the changes in group license assignments.

AdminDroid makes it easy to track all group-based license changes in Microsoft 365!

  • With AdminDroid, you can easily audit the Microsoft 365 Group License Changes report whenever there is a change in the Azure AD group license.
  • This report lets admins easily manage group licenses, ensuring accurate and secure allocation of licenses within Microsoft 365 groups.
group-license-changes-question

Here's a quick tip: Tailor your reports to fit your style with AdminDroid's versatile reporting options. Choose from pie charts, donut charts, bar charts, heat maps, or geo maps to match your preferences. Simply click the customize button in the right corner to personalize your reports just the way you like.

customize-handy-tip

3. How to manage group members in Azure AD?

As an admin, managing Microsoft 365 group membership is crucial to prevent accidental exposure of sensitive data. Group membership changes can impact data security. So, it's important to control who has membership and access rights within groups.

To add or remove members in groups, you can use the Microsoft 365 admin center.

Add Members to a Group

  • Login to the Microsoft 365 admin center.
  • Go to Teams & groups »Active teams & groups.
  • Click on a group name and navigate to the Membership tab.
  • To add members, click "Add members".
  • Search and select the user, then click "Add".

Remove Members from a Group

  • Under the Membership section, you can also remove a member.
  • To remove a member, select the user and click "Remove as member".
  • Click "Remove".

To manage Microsoft 365 groups, detailed reports can be invaluable. Our guide offers efficient methods to obtain a group membership report in Azure Active Directory.

  • Using Microsoft Entra Admin Center: Learn how to utilize the Microsoft Entra admin center to identify and manage group members within your organization.
  • Using Azure AD PowerShell: This approach provides PowerShell cmdlets and a script for retrieving group memberships in Microsoft Entra ID groups.
  • AdminDroid Azure AD Reporter: Explore how AdminDroid facilitates detailed monitoring of Microsoft 365 group memberships. AdminDroid's clear reports and charts streamline the process of managing group members, offering valuable insights along the way.

4. How to manage Microsoft 365 group owners?

Managing Microsoft 365 group owners is essential for maintaining data security and oversight. By default, the person who creates a group becomes a group owner.

However, groups may have multiple owners for various reasons, such as backup support. Members can be promoted to owners, and owners can be downgraded to members.

  • To promote a member to an owner, choose a specific user in the Members section. Then select "Make owner" and click "Promote" for the member you wish to promote.
  • To downgrade a owner to a member, select the group and locate the owner under the Ownership section. Click "Remove as owner", then select "Remove".

It's crucial to keep a close eye on ownership roles, as groups are often formed through voluntary member addition or invitations by current owners. Admins should monitor Microsoft 365 group owners to boost teamwork, ensure leaders are qualified, adapt to organizational changes, and enhance user engagement.

Also, monitoring ownership changes helps maintain a secure and well-managed collaborative environment.

Identifying Microsoft 365 group owner changes is much easier with AdminDroid!

  • AdminDroid offers the Group Owner Changes report under the Group Audit section. This helps you to monitor group ownership and keeps you updated on leadership shifts.
audit-group-owner-changes

5. How to manage guest membership in Microsoft 365 groups?

Ensuring a secure working environment within Microsoft 365 is paramount, especially with the increasing integration of guest users into organizational workflows. The addition of guest users can lead to unauthorized access, loss of sensitive information, higher chances of malware attacks, and a lack of control over external access.

Here's why vigilantly monitoring guest user membership is crucial:

  • By actively tracking their memberships, organizations can ensure that guest access levels are appropriate. Admins can also swiftly remove access for users who no longer need it, helping to prevent unauthorized access.
  • Effective monitoring also aids in the efficient allocation of resources. It prevents guest accounts from consuming more resources than necessary and helps to maintain operational integrity & ensures data privacy.

Tracking guest memberships in the Microsoft 365 admin center can be complex, involving the review of each guest user's group individually, which can be time-consuming.

The importance of managing guest memberships in Microsoft 365 groups cannot be understated.

Without close monitoring, guest accounts might retain access to sensitive information longer than required, leading to possible security problems or rule violations.

To address these challenges, we've curated a straightforward guide to help you identify guest user memberships in Microsoft 365 groups with ease.

In this guide, you'll discover:

  • Using Microsoft 365 Admin Center: It explains how to use the Microsoft 365 admin center to effectively review and adjust guest memberships. This section makes it easier to identify and manage guest users within your organization.
  • Using Azure AD PowerShell: This approach includes PowerShell cmdlets and a script for detailed guest membership insights in Microsoft Entra ID groups, covering email, account age, and creation date.
  • AdminDroid Azure AD Reporter: It facilitates in-depth exploration of guest user group memberships in Microsoft 365. With its automated reporting features and visual analytics, managing Microsoft 365 groups becomes more straightforward and insightful.

6. How to manage who can create Microsoft 365 groups?

Preventing users from creating groups in Microsoft 365 is crucial for effective group management in larger organizations. Follow these steps to control group creation:

  • Create a group in Microsoft 365 admin center for users to whom you wish to allow group creation permission. Note down the group name.
  • Connect to the Microsoft Graph Beta PowerShell module.
  • Execute the below code after replacing GroupName with your created group name.
Connect-MgGraph -Scopes "Directory.ReadWrite.All", "Group.Read.All" 
$GroupName = ""
$AllowGroupCreation = "False" 
$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$params = @{
templateId = "62375ab9-6b52-47ed-826b-58e47e0e304b" 
values = @(
@{
name = "EnableMSStandardBlockedWords"
 value = "true"
}
)
}
New-MgBetaDirectorySetting -BodyParameter $params
$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).Id 
}
$groupId = (Get-MgBetaGroup | Where-object {$_.displayname -eq "GroupName"}).Id 
$params = @{
templateId = "62375ab9-6b52-47ed-826b-58e47e0e304b"
values = @(
@{
name = "EnableGroupCreation"
value = $AllowGroupCreation
} 
@{
name = "GroupCreationAllowedGroupId
value = $groupId
) 
} 
Update-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID -BodyParameter
 $params
(Get-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID).Values
  • By executing this script, you will update the group creation settings. This means only members in the specified group can create new groups in Microsoft 365.
  • In the PS output, the last line will display the updated settings: "EnableGroupCreation" is set to "False", and the "GroupCreationAllowedGroupId" is configured to a specific group.
manage-who-can-create

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Azure AD
How to Get Group Audit Report in Microsoft 365
Azure AD Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo