SOLVED

Office 365 Group history

Brass Contributor

Hi,

 

We have found many orphaned office 365 groups in our tenant. It is bit difficult to identify the next owner for those groups. We decided the check if there is any feature or REST API available to get the past owners of Office 365 group. If it is available then we can contact some of the previous owner to propose an new owner for orphaned groups.

 

Are there any way to collect Office 365 Group history using custom scripts?

 

Thanks in advance,

K Senthilrajan

6 Replies

One way is to look at the Office 365 audit log and check the Remove owner from group records.

 

Or take Paul Cunningham's script https://practical365.com/blog/help-test-v1-02-office-365-groups-report-script/ and amend it to track owner changes.

Thanks Tony for the quick reply,  But there is no filter activity "Removed owner from group" in audit log search as well the audit logs available only for 3 months. So audit log approach will not help us because we need minimum 12 months data.

 

Paul Cunningham script is maintaining logs internally for tracing the change. If I use this script it may help for future occurrences but not helpful for past.

 

I decided the process the orphaned groups manually, its time taking but I feel it efficient than other approaches.

 

Please clarify below queries. 

1. How to check which workload used for creating existing office 365 groups?

2. If I manually go and remove any orphaned group then what are the minimum dependency check that I will have to perform?

 

Thanks in advance,

K Senthilrajan

best response confirmed by Senthilrajan Kaliyaperumal (Brass Contributor)
Solution

If you want to retain Office 365 Audit Data for more than 3 months, buy an ISV reporting product like Radar Reporting, It keeps data for at least a year or longer if you need to.

 

To find remove actions, search the audit log for "Remove owner from group."

 

Search-UnifiedAuditLog -Operations "Remove owner from group" -StartDate 1-Jun-2018 -EndDate 26-Jun-2018

 

You can also find out what workload created an Office 365 group by searching the audit log. I even have details of how to do this in chapter 20 of Office 365 for IT Pros...

But you don't need to remove orphaned groups. Just give them a new owner and all is well.

 

 

Many thanks Tony,

 

I am able to trace last one year data using the query you suggested for "Remove owner from group"  This will resolve some of my orphaned groups. 

 

All is well in Office 365 😉

Hello Senthilrajan Kaliyaperumal,

 

It's not possible to trace last one year data using 'Search-UnifiedAuditLog' cmdlet. The RemoveOwner event might be happened in past 90 days so that you traced it. 

 

Can you please confirm it? else people who read this post in future will get confused.

 

As Tony suggested it's good to deploy a script or have an ISV tool to preserve the audit trail for a longer period. You may take a look at AdminDroid Office 365 Auditing to preserve audit log over past 90 days.

Yes, That is true. The log fetched only for last 90 days. Find the PS script below.

 

$Username = "sk@kmsys.onmicrosoft.com"
$Password = ConvertTo-SecureString '<password>' -AsPlainText -Force
$UserCredential = New-Object System.Management.Automation.PSCredential $Username, $Password

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $session

Connect-MsolService -Credential $UserCredential

$OutputFile = "C:\Appl\output\Usage-log4.txt"

Search-UnifiedAuditLog -EndDate $((Get-Date)) -StartDate $((Get-Date).AddDays(-90)) -Operations "Remove owner from group"| Export-Csv $OutputFile -NoTypeInformation -Append

Remove-PSSession $session

1 best response

Accepted Solutions
best response confirmed by Senthilrajan Kaliyaperumal (Brass Contributor)
Solution

If you want to retain Office 365 Audit Data for more than 3 months, buy an ISV reporting product like Radar Reporting, It keeps data for at least a year or longer if you need to.

 

To find remove actions, search the audit log for "Remove owner from group."

 

Search-UnifiedAuditLog -Operations "Remove owner from group" -StartDate 1-Jun-2018 -EndDate 26-Jun-2018

 

You can also find out what workload created an Office 365 group by searching the audit log. I even have details of how to do this in chapter 20 of Office 365 for IT Pros...

But you don't need to remove orphaned groups. Just give them a new owner and all is well.

 

 

View solution in original post