Track Group Updates with Graph PowerShell: Query “Update group” Audit Logs in Microsoft 365
Monitoring changes to Microsoft 365 Groups is crucial for maintaining organizational security and visibility. Whether a group is renamed, settings are changed, or new members are added by an admin or automation tool, tracking such changes helps administrators stay in control.
In this article, we’ll walk through a Graph PowerShell script that queries the “Update group” event from Directory Audit Logs (under the GroupManagement category). We’ll show you how the script works, discuss use cases, and offer tips for enhancement.
The Script: Get "Update group" Audit Logs via Graph PowerShell
# Connect to Microsoft Graph with required permissions
Connect-MgGraph -Scopes "AuditLog.Read.All", "Directory.Read.All"
# Define the date range for the audit log (last 7 days)
$startDate = (Get-Date).AddDays(-7).ToString("yyyy-MM-ddTHH:mm:ssZ")
# Query directory audit logs for "Update group" activity
$auditLogs = Get-MgAuditLogDirectoryAudit -Filter `
"activityDisplayName eq 'Update group' and category eq 'GroupManagement' and activityDateTime ge $startDate" `
-All
# Process and display the result
$results = $auditLogs | ForEach-Object {
# Determine who initiated the update
$updatedBy = if ($_.InitiatedBy.User.UserPrincipalName) {
$_.InitiatedBy.User.UserPrincipalName
}
elseif ($_.InitiatedBy.App.DisplayName) {
$_.InitiatedBy.App.DisplayName
}
elseif ($_.InitiatedBy.ServicePrincipal.DisplayName) {
$_.InitiatedBy.ServicePrincipal.DisplayName
}
else {
"N/A"
}
[PSCustomObject]@{
'Updated Time' = $_.ActivityDateTime
'Group Name' = $_.TargetResources[0].DisplayName
'Updated By (UPN/App/SP)' = $updatedBy
'Result Status' = $_.Result
}
}
# Output the results in a table format
$results | Format-Table -AutoSize
How the Script Works
Let’s break down how this script functions:
- Authentication Uses Connect-MgGraph with AuditLog.Read.All and Directory.Read.All scopes.
- Date Range Filters logs from the last 7 days using $startDate.
- Filtering: Leverages -Filter to only fetch events where:
- activityDisplayName eq 'Update group'
- category eq 'GroupManagement'
- Initiator Handling:
- Checks if the update was made by a user (UserPrincipalName),
- Or an application (App DisplayName),
- Or a service principal (SP DisplayName),
- Falls back to "N/A" if none are found.
- Output Displays audit logs with these fields:
- Updated Time
- Group Name
- Updated By (UPN/App/SP)
- Result Status
Further Enhancements
You can enhance this script by:
- Exporting to CSV: $results | Export-Csv -Path "GroupUpdateLogs.csv" -NoTypeInformation
- Adding End Date Filter: Include a time range using both ge (greater or equal) and le (less or equal) in the filter string.
- Filtering Specific Groups: Use Where-Object after fetching to match specific group names.
- Filtering by InitiatedBy UPN Helpful when tracking actions performed by a particular admin.
Possible Errors & Solutions
| Error | Cause | Solution |
| Access Denied | Missing Graph permissions | Grant AuditLog.Read.All and Directory.Read.All |
| Unexpected token in OData filter expression | Filter syntax issue | Double-check date/time format and property names |
| TargetResources[0] is null | No group object found in audit log | Wrap TargetResources[0].DisplayName with a null check or use ?.DisplayName in PowerShell 7+ |
Use Cases
Here are some real-world use cases where this script can be valuable:
- Audit Group Naming Policy Changes
- Track Admin Group Modifications
- Monitor Automations or Apps That Modify Groups
- Generate Reports for Compliance Teams
- Troubleshoot Membership Updates Made by Scripts
Conclusion
Using Microsoft Graph PowerShell to track “Update group” audit events give administrators valuable insights into who made changes, when, and how. This script provides a clean, structured way to monitor group-level changes—essential for securing collaboration environments and meeting compliance standards.
Looking to build on this script? You can integrate it into scheduled jobs, email alerts, or even Power BI dashboards!