Teams Meeting Audit Events for Meeting and Participant Details

Last week’s news that Microsoft has started to make a set of premium audit events available to customers with Purview Audit (standard) licenses was welcome. The idea is that customers can use significant audit events like MailItemsAccessed and Send in forensic investigations of user activity that are often necessary when account compromise is suspected. Previously, Purview audit only generated these events for accounts with Purview Audit (Premium) licenses.

Teams Meetings Audit Events

Along with the Exchange events, Microsoft is making an additional fifteen Teams audit events available to Purview Audit standard customers. Among the set are audit events to capture details of meetings and meeting participants. The MeetingDetail event captures information such as the start and end time for a meeting, the URL to join the meeting, and the modalities used in a meeting such as audio and video. The MeetingParticipant event captures details of user participation in a meeting including their join and leave times and is like the information recorded in the attendance report.

I wrote about the Teams meeting audit events after their introduction in 2021 and explained how to generate a report from the audit records (I have since updated the script to use the Microsoft Graph PowerShell SDK to resolve user identifiers instead of the Azure AD module). The same script works today, and you can get it using the link in the original article.

In passing, MC772556 (updated 17 May 2024, Microsoft 365 roadmap item 381953) announces that Microsoft plans to shorten the URL created for Teams meetings to introduce a simplified syntax and make the links easier to share. Old URLs will continue to work after the introduction of the new version, now scheduled for August 2024.

A Delay in Audit Event Generation

In my 2021 article, I noted that Teams meeting audit events are generated some time after a meeting concludes. Workloads usually generate audit events soon after an action like a file modification or group creation completes. Teams meeting audit events appear in the audit log several hours after a meeting finishes. The same continues today. It’s possible that the delay occurs because a meeting can last past its scheduled time and can restart after an initial event concludes. The delay might exist to allow Teams to be sure that meetings are over before it generates the audit events.

Some Data Missing from Teams Meeting Audit Events

In addition, the meeting detail event doesn’t include some important properties about the scheduled event. For instance, the meeting subject isn’t captured (Figure 1), nor is the scheduled start and end times. Instead, the event records the actual start and end times of a meeting. Not capturing the meeting subject might be for privacy reasons.

Looking at the meeting participant detail events, we see the duration (in seconds) of the connection by individual participants to a meeting, details of the device used, and the meeting type (scheduled or ad hoc). But it seems like the audit events don’t capture details of guest users who join meetings when signed into teams in their host tenants.

On the other hand, Teams meeting audit events do capture the participation of people from other tenants who don’t have guest accounts in your tenant (federated participants). The upshot is that the participation information for some meetings is incomplete. It’s fine if you only ever want to report on the activity of internal users, but the big picture misses some important data.

Real Forensic Information

My conclusion is that if it’s necessary to report full details about Teams meetings, including attendance reports, you must use the Get OnlineMeeting Graph API. This is how the Teams clients fetch information about meetings.

Some complications exist. First, you need an Entra ID app registration to hold the application permissions necessary to read calendar events from user mailboxes and the meeting details. Second, unlike using other Graph application permissions to access data from all accounts in a tenant, Teams uses application access policies to protect online event information. An application access policy grants access to an app to online event information for specific accounts. Another complication is the formatting of the meeting identifiers used to access online events.

Once you have all the necessary access, reporting Teams meetings is a matter of finding online events in user calendars and retrieving the information for each event. I’ll write about how to create the definitive report about Teams online meetings when I finish up the script.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

New Teams Meeting Audit Events in Purview Advanced Auditing

Updated 25 May 2024

In March 2020, Microsoft made the MailItemsAccessed audit event available. This was the first high-value Microsoft 365 audit event designed to help forensic investigators gain extra detail of what happened when they respond to security or internal events. We now have the first high-value Teams audit information in the MeetingDetail and MeetingParticipantDetail events. According to message center notification MC298031 (Nov 13, 2021), the events are now available in tenants.

When a meeting occurs, Teams logs a single MeetingDetail event to capture basic information about the meeting such as its start and end time. Teams also logs separate MeetingParticipantDetail events for each user (including guests) or application (like the recording bot) who joins the meeting. If the meeting starts and stops several times, Teams captures separate sets of audit events.

Licensing and Output

The important thing is that Teams captures this audit data only if users have the necessary licenses for advanced auditing. Office 365 E5 and a bunch of other Microsoft 365 products include advanced auditing. Office 365 E3 and any lower plan do not.

Update: Microsoft now generates the Teams meeting audit events for all accounts with Microsoft Purview (standard) licenses.

At least, that’s the way things are supposed to happen. My tenant uses a mixture of licenses, but the audit data captured for Teams meetings doesn’t happen as you might expect. First, the records don’t appear as quickly as other Teams audit events after a meeting ends. I think this is because a background process looks for meeting information and generates the events some time after a meeting finishes. At least, the creation date for the audit records is several hours after a meeting’s scheduled time. This might be done to ensure that the meeting is over, but it means that you should ignore the audit event creation time when tracking when meetings happen. In addition, as you’d expect, the information captured in the two events differ too, so some care is needed to parse out the audit payload.

Reporting Teams Meeting Audit Events

In any case, I wrote a script to illustrate how to find and parse the audit records for Teams meeting. You can download the script from GitHub. The code is simple:

• Set a time span to search for records. I look for the last 30 days. With Office 365 E5 or above, you can go back up to 365 days otherwise the limit is 180 days.
• Run the Search-UnifiedAuditLog cmdlet to find Teams meetings audit events.
• Parse each audit record to extract information from its payload. Use the Get-MgUser cmdlet to resolve the identifiers captured for meeting organizers and participants.
• Insert the data in a PowerShell list.
• After processing all records, generate a CSV file.

After processing a participant record (MeetingParticipantDetail) looks like this. You can see that the date recorded for the audit record is well after the person attended the meeting.

Date        : 09/12/2021 01:55:48
User        : Jack.Smith@office365itpros.com
MeetingId   : 87109282-1c08-4272-834b-16d6b9defa01
MeetingType : ScheduledMeeting
Start       : 08/12/2021 17:33
End         : 08/12/2021 17:37
User Time   : 00:03:53
Role        : 1
DetailId    : 87109282-1c08-4272-834b-16d6b9defa01
Artifacts   :
UserInfo    : SkypeSpaces/1415/1.0.0.2021120320/os=windows; osVer=10; deviceType=computer; browser=chrome;
              browserVer=96.0/TsCallingVersion=2021.42.01.1/Ovb=1c67ad38b440f3c30eadde98e59d505b1dd1c056
Type        : Participant
Operation   : MeetingParticipantDetail

While a meeting record (MeetingDetail) looks like:

Date        : 09/12/2021 01:55:48
User        : Sean.Landy@office365itpros.com
MeetingId   : 87109282-1c08-4272-834b-16d6b9defa01
MeetingType : ScheduledMeeting
Start       : 08/12/2021 17:33
End         : 08/12/2021 17:37
MeetingTime : 00:03:53
Organizer   : Sean Landy
Modalities  : Audio
MeetingURL  : teams.microsoft.com/l/meetup-join/19%3ameeting_MGRlYWRlMzctM2ViMC00OGUyLTg3NzAtMDc1MjdiZGU0MjBm%40thread.
              v2/0?context=%7b%22Tid%22%3a%22b662313f-14fc-43a2-9a7a-d2e27f4f3478%22%2c%22Oid%22%3a%2208dda855-5dc3-4fd
              c-8458-cbc494a5a774%22%7d
Type        : Meeting
Operation   : MeetingDetail

Figure 1 shows the output data created by the script (refreshed in 2024). There are both MeetingDetail and MeetingParticipantDetail records shown in the list. The point is that once you extract the set of Teams meeting audit events, you can slice and dice them as you wish.

The code works for the audit records I see in my tenant. I cannot attest that the code handles every permutation of audit data captured in these records, but as the code uses relatively simple PowerShell, it should be possible to amend the code to handle other conditions.

Investigations Will Prove the Worth of Teams Meeting Audit Events

I’m not totally convinced that the information captured in Teams meeting audit records are of high value. The basic knowledge to gain is that someone attended a meeting for a certain length of time, information that’s already in the attendance report that the meeting organizer can download. Some information that I would like to see is missing, such as the meeting title (admittingly, the meeting URL is available, so Graph API calls can find the meeting title).

It is advantageous to be able to search for and retrieve the information from the audit log along with other records of interest to investigators, especially for meetings that someone might try to hide by removing all trace from their calendar. Time will tell if investigators find the information captured in Teams meeting audit records helpful in their work and how they use the data. Remember that Teams stores attendance data for webinars in hidden Lists, so if these events are involved in an investigation, it’s probably better to go there to learn who attended the event.

Make sure that you’re not surprised about changes which appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.