How to Monitor the Addition of New Guest Accounts to Teams

Know When New Guest Accounts Are Added to Your Tenant

Updated 14-Aug-2023

A reader question asks if it’s possible to monitor the add member to Teams action, specifically the addition of new guest accounts. The easy answer is “of course” because you can create an activity alert to monitor the audit records generated in the Office 365 audit log by the addition of new members. The problem is that Teams doesn’t distinguish between the addition of tenant accounts or guest accounts when they are added to a team. Still, an activity alert is enough to check additions.

Process Audit Log Data with PowerShell

But given that audit records are generated (if you have Office 365 E3 or later), we can do a better job with some relatively simple PowerShell to extract and process the audit log data. The steps we need to perform are:

• Find audit records generated when members are added to a team and extract those relating to guest users.
• Figure out if the guest account is newly added or already exists (because they’re a member in another group or team or someone has shared a document or folder with them).
• Decide what to do next. For instance, email the person who added the guest user to ask them if the addition is warranted for business purposes.

These steps might sound complicated, but they are straightforward. An example script can be downloaded from GitHub.

Building the Script to Report the Add Member to Teams Action

The first part of the script finds audit records for additions to team membership – this example looks for any addition in the last week.

[array]$Records = Search-UnifiedAuditLog -StartDate ((Get-Date).AddDays(-7)) -EndDate ((Get-Date).AddDays(1)) -ResultSize 5000 -Operations MemberAdded -RecordType MicrosoftTeams

Next, we loop through the records returned by the search to find out if the user recorded as a new member is a guest and if so if it is a new guest account. Again, the check is for guest accounts added in the last seven days. Note that Teams records MemberAdded audit events for both users being added to a team and a group chat. This is why we need to check the CommunicationType property in AuditData.

If ($Records) {
   $Report = [System.Collections.Generic.List[Object]]::new() # Create output file for report
   Write-Host "Processing" $Records.Count "audit records for addition of users to Microsoft Teams"
   ForEach ($Rec in $Records) {
     $AuditData = Convertfrom-Json $Rec.AuditData # Get payload
     ForEach ($M in $AuditData.Members) { # Examine users added to see if any are guests
      If (($M -Like "*#EXT#@*") -and ($AuditData.CommunicationType -eq "Team")) { # We have a guest user who's been added to a team rather than a group chat
         $GuestUser = Get-MgUser -UserId $M.UPN -Property Id, DisplayName, Mail, CreatedDateTime
         $AccountAge = ($GuestUser.CreatedDateTime | New-TimeSpan).Days
         If ($AccountAge -le 7) { # Guest created within last 7 days so write out details
            $ReportLine = [PSCustomObject]@{ 
               Guest            = $GuestUser.Mail   
               Name             = $GuestUser.DisplayName
               Created          = $CreationDate 
               AgeInDays        = $AccountAge
               DateAddedTeams   = Get-Date($AuditData.CreationTime) -format g
               TeamName         = $AuditData.TeamName
               AddedBy          = $AuditData.UserId
               GruupId          = $AuditData.AADGroupId} 
            $Report.Add($ReportLine) 
         } # End if (AccountAge)   
     } # End if (Guest user check)
   } # End Foreach (Members)
 } # End ForEach (Records)
} #End if (Records)

Finally, we email the person who added the member to the team to ask them to provide a justification (Figure 1).

$htmlHeaderUser = "<h2>A new guest user has been created in our tenant</h2>"; $htmlbody = $htmlheaderUser + $BodyText + "<p>"
   $HtmlMsg = "" + $HtmlHead + $HtmlBody
  # Construct the message parameters and send it off...
    $MsgParam = @{
      To = $R.AddedBy
       From = $MsgFrom
       Subject = "New Guest User Added"
       Body = $HtmlMsg
       SmtpServer = $SmtpServer
       Port = $SmtpPort
       Credential = $O365Cred }
     Send-MailMessage @msgParam -UseSSL -BodyAsHTML

Script Will Need to be Updated

Send-MailMessage uses the SMTP AUTH protocol to connect and send the message. Microsoft has not yet said when they will deprecate SMTP AUTH as part of their ongoing effort to remove basic authentication. If they do, the script will need to be updated to use whatever method is provided to allow PowerShell scripts to send email using modern authentication.

In summary, this is yet another example of where the unified audit log holds valuable information to help tenant administrators understand what’s happening inside their organization. All it takes is a little PowerShell and some trial and error.

---

The Office 365 for IT Pros eBook features many practical examples of using Office 365 audit log data to solve problems. You never know when you might need our experience…