Jun 26 2018 01:06 AM
Hi,
We have found many orphaned office 365 groups in our tenant. It is bit difficult to identify the next owner for those groups. We decided the check if there is any feature or REST API available to get the past owners of Office 365 group. If it is available then we can contact some of the previous owner to propose an new owner for orphaned groups.
Are there any way to collect Office 365 Group history using custom scripts?
Thanks in advance,
K Senthilrajan
Jun 26 2018 02:38 AM
One way is to look at the Office 365 audit log and check the Remove owner from group records.
Or take Paul Cunningham's script https://practical365.com/blog/help-test-v1-02-office-365-groups-report-script/ and amend it to track owner changes.
Jun 26 2018 05:57 AM
Thanks Tony for the quick reply, But there is no filter activity "Removed owner from group" in audit log search as well the audit logs available only for 3 months. So audit log approach will not help us because we need minimum 12 months data.
Paul Cunningham script is maintaining logs internally for tracing the change. If I use this script it may help for future occurrences but not helpful for past.
I decided the process the orphaned groups manually, its time taking but I feel it efficient than other approaches.
Please clarify below queries.
1. How to check which workload used for creating existing office 365 groups?
2. If I manually go and remove any orphaned group then what are the minimum dependency check that I will have to perform?
Thanks in advance,
K Senthilrajan
Jun 26 2018 08:42 AM
SolutionIf you want to retain Office 365 Audit Data for more than 3 months, buy an ISV reporting product like Radar Reporting, It keeps data for at least a year or longer if you need to.
To find remove actions, search the audit log for "Remove owner from group."
Search-UnifiedAuditLog -Operations "Remove owner from group" -StartDate 1-Jun-2018 -EndDate 26-Jun-2018
You can also find out what workload created an Office 365 group by searching the audit log. I even have details of how to do this in chapter 20 of Office 365 for IT Pros...
But you don't need to remove orphaned groups. Just give them a new owner and all is well.
Jun 26 2018 11:31 PM
Many thanks Tony,
I am able to trace last one year data using the query you suggested for "Remove owner from group" This will resolve some of my orphaned groups.
All is well in Office 365 😉
Jun 29 2018 02:54 AM
Hello Senthilrajan Kaliyaperumal,
It's not possible to trace last one year data using 'Search-UnifiedAuditLog' cmdlet. The RemoveOwner event might be happened in past 90 days so that you traced it.
Can you please confirm it? else people who read this post in future will get confused.
As Tony suggested it's good to deploy a script or have an ISV tool to preserve the audit trail for a longer period. You may take a look at AdminDroid Office 365 Auditing to preserve audit log over past 90 days.
Aug 23 2018 12:00 AM
Yes, That is true. The log fetched only for last 90 days. Find the PS script below.
$Username = "sk@kmsys.onmicrosoft.com"
$Password = ConvertTo-SecureString '<password>' -AsPlainText -Force
$UserCredential = New-Object System.Management.Automation.PSCredential $Username, $Password
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $session
Connect-MsolService -Credential $UserCredential
$OutputFile = "C:\Appl\output\Usage-log4.txt"
Search-UnifiedAuditLog -EndDate $((Get-Date)) -StartDate $((Get-Date).AddDays(-90)) -Operations "Remove owner from group"| Export-Csv $OutputFile -NoTypeInformation -Append
Remove-PSSession $session
Jun 26 2018 08:42 AM
SolutionIf you want to retain Office 365 Audit Data for more than 3 months, buy an ISV reporting product like Radar Reporting, It keeps data for at least a year or longer if you need to.
To find remove actions, search the audit log for "Remove owner from group."
Search-UnifiedAuditLog -Operations "Remove owner from group" -StartDate 1-Jun-2018 -EndDate 26-Jun-2018
You can also find out what workload created an Office 365 group by searching the audit log. I even have details of how to do this in chapter 20 of Office 365 for IT Pros...
But you don't need to remove orphaned groups. Just give them a new owner and all is well.