Forum Discussion
Identify group owner by SMTP Address?
To search the audit log for group creation events, you look for "add group". For example:
Search-UnifiedAuditGroup -Operations "add group" -StartDate "01-Jul-2017 00:00" -EndDate "30-Jul-2017 13:00" -Formatted
Unfortunately, the group name is in the AuditData property, which is not as nicely formatted as you'd like. The user who created the group is listed in the UserIds property.
Vasil and I chatted about extracting some nicely formatted information from the audit records, He is much better at PowerShell than I am, but together we came up with some hacked together code to look for audit records for group creation and then output the information about who created the groups. Here's the code.
$i = 0
$GroupName = $Null
$Records = Search-UnifiedAuditLog -StartDate 1-Jul-2017 -EndDate "30-Jul-2017 13:00" -Operations "add group"
ForEach ($r in $Records)
{
$temp = ($Records[$i].AuditData | ConvertFrom-Json)
$temphash = @{}
$temp.ExtendedProperties | % { $temphash[$_.Name] = $_.Value }
$GroupName = ($temphash["DisplayName"] -replace '(\[.*\]).*(\[.*\])', '$2').Replace("[","").Trim("`]; ")
Write-host $r.userids "created the" $Groupname "group on" $r.creationdate
$i=$i+1
}
The output is something like:
Tony.Redmond@Office365itpros.com created the Ignite 2017 group on 30/07/2017 11:43:34
Now, if anyone else wants to improve matters, hack away...