Monitoring Guest Accounts Added to Teams

Know When New Guest Accounts Are Added to Your Tenant

A reader question asks if it’s possible to monitor the creation of new guest accounts when they are added to Teams memberships. The easy answer is “of course” because you can create an activity alert to monitor the audit records generated in the Office 365 audit log by the addition of new members. The problem is that Teams doesn’t distinguish between the addition of tenant accounts or guest accounts when they are added to a team. Still, an activity alert is enough to check additions.

Process Audit Log Data with PowerShell

But given that audit records are generated (if you have Office 365 E3 or later), we can do a better job with some relatively simple PowerShell to extract and process the audit log data. The steps we need to perform are:

  • Find audit records generated when members are added to a team and extract those relating to guest users.
  • Figure out if the guest account is newly added or already exists (because they’re a member in another group or team or someone has shared a document or folder with them).
  • Decide what to do next. For instance, email the person who added the guest user to ask them if the addition is warranted for business purposes.

These steps might sound complicated, but they are straightforward. An example script can be downloaded from GitHub.

Building the Script

The first part of the script finds audit records for additions to team membership – this example looks for any addition in the last week.

Next, we figure out if the user added is a guest and if so if it is a new guest account. Again, the check is for guest accounts added in the last seven days.

Finally, we email the person who added the member to the team to ask them to provide a justification (Figure 1).

 The email sent to team owners
Figure 1: The email sent to team owners

Script Will Need to be Updated

Send-MailMessage uses the SMTP AUTH protocol to connect and send the message. This facility will soon be deprecated by Microsoft as part of their effort to remove basic authentication. The script will need to be updated after Microsoft releases a new method to allow PowerShell scripts to send email using modern authentication.

Even so, this is yet another example of where the Office 365 audit log holds valuable information to help tenant administrators understand what’s happening inside their organization. All it takes is a little PowerShell and some trial and error.


The Office 365 for IT Pros eBook features many practical examples of using Office 365 audit log data to solve problems. You never know when you might need our experience…

One Reply to “Monitoring Guest Accounts Added to Teams”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.