Track Microsoft 365 Administrator Role Assignment And Activity

Administrators in Microsoft 365 hold the keys to your organization’s digital kingdom. They can add or remove users, assign licenses, configure security policies, and even access sensitive information. While this power is essential for managing the environment, it also makes admin accounts a prime target for misuse or attacks.

That’s why tracking administrator role assignments and activities is crucial. By monitoring who holds admin roles, when roles are assigned or revoked, and what actions admins perform, you can:

• Strengthen your organization’s security posture.
• Detect unauthorized changes early.
• Meet compliance and audit requirements.
• Hold administrators accountable for their actions.

Let’s dive into how you can achieve this with Microsoft Graph PowerShell.

Why Track Administrator Activity?

Admin activity logs provide a transparent view of what’s happening in your Microsoft 365 tenant. Without monitoring:

• Malicious insiders could elevate privileges undetected.
• Suspicious activities like mass license assignments could go unnoticed.
• Compliance audits could become a nightmare due to missing data.

By actively tracking admin activities, you ensure visibility, accountability, and compliance in your Microsoft 365 environment.

How to Track Administrator Activity Using Graph PowerShell?

Graph PowerShell gives you the ability to fetch directory role assignments, admin activity logs from Microsoft Entra ID. Below are some useful scripts you can use in your environment.

1. Fetching Microsoft 365 Global Administrator Info

🔗 Fetching Microsoft 365 Global Administrator Info using Graph PowerShell

This script uses the Get-MgDirectoryRoleMember cmdlet to list all Global Administrators in your tenant. It outputs their display names and email addresses, giving you a clear view of who has the highest-level access.

Why it’s useful:

• Ensures you know exactly who your global admins are.
• Helps you verify that only necessary personnel hold this powerful role.
2. Track M365 Admin Role Assignments

🔗 Track M365 Admin Role Assignments Using Graph PowerShell

This script leverages the Get-MgAuditLogDirectoryAudit cmdlet to list details about role assignments, including:

• Role added time
• Role added to (who received the role)
• Role added by (who assigned the role)

Why it’s useful:

• Provides a clear record of when admin privileges are granted.
• Helps identify if roles were assigned outside of policy.
3. Monitor Admin Activity in Microsoft 365

🔗 Monitor Admin Activity in Microsoft 365 with Graph PowerShell

This script also uses Get-MgAuditLogDirectoryAudit to capture all admin actions performed in the environment. It records:

• The admin’s email address (initiator)
• The action taken
• The time the action occurred

Why it’s useful:

• Gives you a timeline of who did what and when.
• Detects suspicious or unauthorized actions early.
4. Track M365 Users Demoted From Admin Roles

🔗 Track M365 Users Demoted From Admin Roles Using Graph PowerShell

This script tracks when admin roles are removed, showing:

• Role removed time
• Role removed from (the user demoted)
• Role removed by (the admin who revoked the role)

Why it’s useful:

• Ensures you have visibility into role removals.
• Helps confirm that role demotions follow organizational procedures.

Wrapping Up

Tracking administrator role assignments and activities is not just a best practice—it’s a necessity for protecting your Microsoft 365 environment. With Graph PowerShell, you can:

• Identify who your global admins are.
• Track when roles are assigned or revoked.
• Monitor admin activities in real time.

By combining these scripts, you gain complete visibility into your admin landscape, ensuring better security, accountability, and compliance.