How to Generate and Send a Teams Creation Report by Email

Office 365 Audit Records Useful Source of Information

Recently another MVP pointed out that Office 365 Activity Alerts don’t seem to work so well. At least, he tried to set one up to alert him when someone created a new team and no alert was ever sounded.

Activity alerts depend on events logged in the Office 365 audit log. I tried to create an activity alert for new team creations and Office 365 remained mute for several days. In fact, I haven’t seen an activity alert for team creation yet. Something odd is happening on the back end because the events are in the audit log.

Script for DIY Emailed Report

In any case, I decided to roll my own activity alert by running the Search-UnifiedAuditLog cmdlet to find team creation events, parsing the AuditData content, and emailing the resulting information. Because I don’t like recreating the wheel, I combined code from Chapter 21 of the Office 365 for IT Pros eBook to parse the results returned from Search-UnifiedAuditLog and some code from one of my Petri.com articles to format and send the message. The mailbox used must be enabled to use SMTP AUTH.

The original script appeared on 30 July 2019. This is version 2 of the code and it adds some information to the emailed report such as the privacy setting for the team, its classification, the number of group members, and the number of guests. You’ll also note that I sort the audit records by team name to get one record for each team. Sometimes Office 365 creates multiple audit records when a new team is created. Remember to update the $EmailRecipient variable with a valid email address before you run the script.

# TeamsCreationReportByEmail.PS1
# A script to locate Office 365 audit records for the creation of new Teams and report the fact via email.
# V2.0 22 Oct 2019
# Uses the Exchange Online PowerShell module...
$StartDate = (Get-Date).AddDays(-90); $EndDate = (Get-Date).AddDays(1)
#HTML header with styles
$htmlhead="
     <style>
      BODY{font-family: Arial; font-size: 10pt;}
	H1{font-size: 22px;}
	H2{font-size: 18px; padding-top: 10px;}
	H3{font-size: 16px; padding-top: 8px;}
    </style>"

#Header for the message
$HtmlBody = "
     <h1>Teams Creation Report for teams created between $(Get-Date($StartDate) -format g) and $(Get-Date($EndDate) -format g)</h1>
     <p><strong>Generated:</strong> $(Get-Date -Format g)</p>  
     <h2><u>Details of Teams Created</u></h2>"
#Person to get the email
$EmailRecipient = "SomeoneinYourTenant@Tenant.com" # &lt;- Update this with the real address

If (-not $O365Cred) { #Make sure we have credentials
    $O365Cred = (Get-Credential)}
$MsgFrom = $O365Cred.UserName ; $SmtpServer = "smtp.office365.com" ; $SmtpPort = '587'

# Find records for team creation in the Office 365 audit log
Write-Host "Looking for Team Creation Audit Records..."
$Records = (Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations "TeamCreated" -ResultSize 1000)
If ($Records.Count -eq 0) {
    Write-Host "No Team Creation records found." }
Else {
    Write-Host "Processing" $Records.Count "audit records..."
    $Report = [System.Collections.Generic.List[Object]]::new()
    ForEach ($Rec in $Records) {
      $AuditData = ConvertFrom-Json $Rec.Auditdata
      $O365Group = (Get-UnifiedGroup -Identity $AuditData.TeamName) # Need some Office 365 Group properties
      $ReportLine = [PSCustomObject]@{
        TimeStamp      = Get-Date($AuditData.CreationTime) -format g
        User           = $AuditData.UserId
        Action         = $AuditData.Operation
        TeamName       = $AuditData.TeamName
        Privacy        = $O365Group.AccessType
        Classification = $O365Group.Classification
        MemberCount    = $O365Group.GroupMemberCount 
        GuestCount     = $O365Group.GroupExternalMemberCount
        ManagedBy      = $O365Group.ManagedBy}
     $Report.Add($ReportLine) }
}
# Add details of each team
$Report | Sort TeamName -Unique | ForEach {
    $htmlHeaderTeam = "<h2>" + $_.TeamName + "</h2>"
    $htmlline1 = "<p>Created on <b>" + $_.TimeStamp + "</b> by: " + $_.User + "</p>"
    $htmlline2 = "<p>Privacy: <b>" + $_.Privacy + "</b> Classification: <b>" + $_.Classification + "</b></p>"
    $htmlline3 = "<p>Member count: <b>" + $_.MemberCount + "</b> Guest members: <b>" + $_.GuestCount + "</b></p>"
    $htmlbody = $htmlbody + $htmlheaderTeam + $htmlline1 + $htmlline2 + $htmlline3 + "<p>"
}
# Finish up the HTML message body    
$HtmlMsg = "" + $HtmlHead + $HtmlBody
# Construct the message parameters and send it off...
 $MsgParam = @{
     To = $EmailRecipient
     From = $MsgFrom
     Subject = "Teams Creation Report"
     Body = $HtmlMsg
     SmtpServer = $SmtpServer
     Port = $SmtpPort
     Credential = $O365Cred}
Send-MailMessage @msgParam -UseSSL -BodyAsHTML ; Write-Host "Teams Creation Report sent by email to" $EmailRecipient 

Figure 1 shows what the resulting email looks like:

The Teams Creation Report as emailed
Figure 1: The Teams Creation Report as emailed

You can download a copy of the script from GitHub. Feel free to amend the script to meet your own requirements. Don’t forget to tell us about all the great improvements you make by posting comments here.

10 Replies to “How to Generate and Send a Teams Creation Report by Email”

  1. Thanks for the information. It worked really fine! I did some ammends, to report if the Teams is public or private (requested by management), but it saved a lot of time.

  2. Thanks for the idea David… I have refreshed the script to add more team properties to the creation report.

  3. I’m getting an error Method invocation failed because [System.Collections.Generic.List`1[ does not contain a method named ‘new’. Any idea why?

    1. At this line?

      $Report = [System.Collections.Generic.List[Object]]::new()

      That’s a basic PowerShell command. It should work without any problems.

    1. After using IP of server, I get:
      Send-MailMessage : The remote certificate is invalid according to the validation procedure.

      After using URL, I get:
      Send-MailMessage : The remote name could not be resolved:

      Is there any way to get it to open this as an HTML instead?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.