Office 365 Audit Records Useful Source of Information
Recently another MVP pointed out that Office 365 Activity Alerts don’t seem to work so well. At least, he tried to set one up to alert him when someone created a new team and no alert was ever sounded.
Activity alerts depend on events logged in the Office 365 audit log. I tried to create an activity alert for new team creations and Office 365 remained mute for several days. In fact, I haven’t seen an activity alert for team creation yet. Something odd is happening on the back end because the events are in the audit log.
Script for DIY Emailed Report
In any case, I decided to roll my own activity alert by running the Search-UnifiedAuditLog cmdlet to find team creation events, parsing the AuditData content, and emailing the resulting information. Because I don’t like recreating the wheel, I combined code from Chapter 21 of the Office 365 for IT Pros eBook to parse the results returned from Search-UnifiedAuditLog and some code from one of my Petri.com articles to format and send the message. The mailbox used must be enabled to use SMTP AUTH.
The original script appeared on 30 July 2019. This is version 2 of the code and it adds some information to the emailed report such as the privacy setting for the team, its classification, the number of group members, and the number of guests. You’ll also note that I sort the audit records by team name to get one record for each team. Sometimes Office 365 creates multiple audit records when a new team is created. Remember to update the $EmailRecipient variable with a valid email address before you run the script.
# TeamsCreationReportByEmail.PS1
# A script to locate Office 365 audit records for the creation of new Teams and report the fact via email.
# V2.0 22 Oct 2019
# Uses the Exchange Online PowerShell module...
$StartDate = (Get-Date).AddDays(-90); $EndDate = (Get-Date).AddDays(1)
#HTML header with styles
$htmlhead="
<style>
BODY{font-family: Arial; font-size: 10pt;}
H1{font-size: 22px;}
H2{font-size: 18px; padding-top: 10px;}
H3{font-size: 16px; padding-top: 8px;}
</style>"
#Header for the message
$HtmlBody = "
<h1>Teams Creation Report for teams created between $(Get-Date($StartDate) -format g) and $(Get-Date($EndDate) -format g)</h1>
<p><strong>Generated:</strong> $(Get-Date -Format g)</p>
<h2><u>Details of Teams Created</u></h2>"
#Person to get the email
$EmailRecipient = "SomeoneinYourTenant@Tenant.com" # <- Update this with the real address
If (-not $O365Cred) { #Make sure we have credentials
$O365Cred = (Get-Credential)}
$MsgFrom = $O365Cred.UserName ; $SmtpServer = "smtp.office365.com" ; $SmtpPort = '587'
# Find records for team creation in the Office 365 audit log
Write-Host "Looking for Team Creation Audit Records..."
$Records = (Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations "TeamCreated" -ResultSize 1000)
If ($Records.Count -eq 0) {
Write-Host "No Team Creation records found." }
Else {
Write-Host "Processing" $Records.Count "audit records..."
$Report = [System.Collections.Generic.List[Object]]::new()
ForEach ($Rec in $Records) {
$AuditData = ConvertFrom-Json $Rec.Auditdata
$O365Group = (Get-UnifiedGroup -Identity $AuditData.TeamName) # Need some Office 365 Group properties
$ReportLine = [PSCustomObject]@{
TimeStamp = Get-Date($AuditData.CreationTime) -format g
User = $AuditData.UserId
Action = $AuditData.Operation
TeamName = $AuditData.TeamName
Privacy = $O365Group.AccessType
Classification = $O365Group.Classification
MemberCount = $O365Group.GroupMemberCount
GuestCount = $O365Group.GroupExternalMemberCount
ManagedBy = $O365Group.ManagedBy}
$Report.Add($ReportLine) }
}
# Add details of each team
$Report | Sort TeamName -Unique | ForEach {
$htmlHeaderTeam = "<h2>" + $_.TeamName + "</h2>"
$htmlline1 = "<p>Created on <b>" + $_.TimeStamp + "</b> by: " + $_.User + "</p>"
$htmlline2 = "<p>Privacy: <b>" + $_.Privacy + "</b> Classification: <b>" + $_.Classification + "</b></p>"
$htmlline3 = "<p>Member count: <b>" + $_.MemberCount + "</b> Guest members: <b>" + $_.GuestCount + "</b></p>"
$htmlbody = $htmlbody + $htmlheaderTeam + $htmlline1 + $htmlline2 + $htmlline3 + "<p>"
}
# Finish up the HTML message body
$HtmlMsg = "" + $HtmlHead + $HtmlBody
# Construct the message parameters and send it off...
$MsgParam = @{
To = $EmailRecipient
From = $MsgFrom
Subject = "Teams Creation Report"
Body = $HtmlMsg
SmtpServer = $SmtpServer
Port = $SmtpPort
Credential = $O365Cred}
Send-MailMessage @msgParam -UseSSL -BodyAsHTML ; Write-Host "Teams Creation Report sent by email to" $EmailRecipient
Figure 1 shows what the resulting email looks like:
You can download a copy of the script from GitHub. Feel free to amend the script to meet your own requirements. Don’t forget to tell us about all the great improvements you make by posting comments here.
Thanks for the information. It worked really fine! I did some ammends, to report if the Teams is public or private (requested by management), but it saved a lot of time.
Thanks for the idea David… I have refreshed the script to add more team properties to the creation report.
I’m getting an error Method invocation failed because [System.Collections.Generic.List`1[ does not contain a method named ‘new’. Any idea why?
At this line?
$Report = [System.Collections.Generic.List[Object]]::new()
That’s a basic PowerShell command. It should work without any problems.
Thanks for this. You saved me hours!
This is exciting. I’m trying to get it to run and it seems to complete, but I am not receiving the emails.
After using IP of server, I get:
Send-MailMessage : The remote certificate is invalid according to the validation procedure.
After using URL, I get:
Send-MailMessage : The remote name could not be resolved:
Is there any way to get it to open this as an HTML instead?
Is the mailbox you connect to enabled for SMTP AUTH? https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission