Forum Discussion

Steve Elliott's avatar
Steve Elliott
Copper Contributor
Jul 25, 2017

Identify group owner by SMTP Address?

Is their a way to identify by SMTP address the group owner at all, or at least the smtp address which created the group in 365?

 

Running the get-unifiedgroup | export-csv .\o365groups.csv shows the managed by field as the display name.

 

 

Within our tenant we have 86 different smtp domains, and I'm looking to pull a report to highlight O365 groups createdby a users from a particular smtp domain within our tenant

 

Thanks for any help in advance.

groups
office 365
  • VasilMichev's avatar
    VasilMichev
    MVP
    Jul 25, 2017

    To get a proper answer on who creted a Group, you will have to look at the Audit logs. To get the SMTP address of the owner/manager, use something like:

     

    Get-UnifiedGroupLinks groupname -LinkType owner | select DisplayName,Alias,PrimarySmtpAddress

    • TonyRedmond's avatar
      TonyRedmond
      MVP
      Jul 30, 2017

      To search the audit log for group creation events, you look for "add group". For example:

       

      Search-UnifiedAuditGroup -Operations "add group" -StartDate "01-Jul-2017 00:00" -EndDate "30-Jul-2017 13:00" -Formatted

       

      Unfortunately, the group name is in the AuditData property, which is not as nicely formatted as you'd like. The user who created the group is listed in the UserIds property.

      • TonyRedmond's avatar
        TonyRedmond
        MVP
        Jul 30, 2017

        Vasil and I chatted about extracting some nicely formatted information from the audit records, He is much better at PowerShell than I am, but together we came up with some hacked together code to look for audit records for group creation and then output the information about who created the groups. Here's the code.

         

        $i = 0
        $GroupName = $Null
        $Records = Search-UnifiedAuditLog -StartDate 1-Jul-2017 -EndDate "30-Jul-2017 13:00" -Operations "add group"
        ForEach ($r in $Records)
        {
        $temp = ($Records[$i].AuditData | ConvertFrom-Json)
        $temphash = @{}
        $temp.ExtendedProperties | % { $temphash[$_.Name] = $_.Value }
        $GroupName = ($temphash["DisplayName"] -replace '(\[.*\]).*(\[.*\])', '$2').Replace("[","").Trim("`]; ")
        Write-host $r.userids "created the" $Groupname "group on" $r.creationdate
        $i=$i+1
        }

         

        The output is something like:

         

        Tony.Redmond@Office365itpros.com created the Ignite 2017 group on 30/07/2017 11:43:34

         

        Now, if anyone else wants to improve matters, hack away...

Resources