Audit User Related Admin Actions Using Graph PowerShell

Auditing user-related administrative activities is essential for maintaining transparency, accountability, and security in any Microsoft 365 environment. Whether you're tracking who created, updated, deleted, or restored a user account, knowing what happened When and by whom is critical for governance and compliance.

This blog explains why and how you can audit such actions using Graph PowerShell by querying Entra ID Audit Logs, along with ready-to-use scripts from M365Corner.

Why Audit User Related Admin Actions Like User Addition and Deletion?

Every time an admin adds a new user, updates user information, deletes a user, or restores one, they leave behind a footprint. Auditing these actions helps:

• Track changes made to user accounts
• Hold admins accountable for changes
• Comply with security and industry regulations
• Investigate anomalies or breaches
• Build historical audit trails

Without proper auditing, it's difficult to determine who made specific changes and when, leaving your tenant vulnerable.

How to Audit User Related Admin Actions Using Graph PowerShell?

Microsoft Graph PowerShell allows you to programmatically query Entra ID audit logs, which contain detailed event data including:

• Event Time – when the action occurred
• Initiator – who performed the action
• Target User Details – who was affected

The following scripts from M365Corner help automate the auditing of key user-related admin actions.

• Auditing Newly Created Users

Use this script to fetch a list of users who were recently created in your tenant. It includes the timestamp and the admin who performed the addition.

🔗 Track Add User Events with Graph PowerShell

• Auditing Recently Updated Users

This script helps identify modifications made to existing user accounts—whether it's a change in license, role, or any other attribute—along with who made the change and when.

🔗 Track Recently Updated Users with Graph PowerShell

• Auditing Deleted Users

Keep track of user accounts that were removed from the directory. This is especially important in identifying accidental or unauthorized deletions.

🔗 Track Deleted Users via Entra Audit Log with PowerShell

• Auditing Restored Users

Restoring deleted users is just as critical an event to monitor. This script captures details of user restorations, including the responsible admin and timestamp.

🔗 Track Restored M365 Users with Graph PowerShell

Conclusion

Auditing is all about tracking events and identifying who performed them. Using Graph PowerShell to query Entra ID Audit Logs, you can uncover vital insights into user lifecycle events in your Microsoft 365 environment.

All the scripts linked above provide a rich breakdown of event timestamps and admin UPNs, making them ideal for security audits, investigations, or internal policy compliance. Start using them today to strengthen your administrative oversight.