Track “Add User” Events Using Graph PowerShell – Audit Log Script

Microsoft 365 administrators often need to track user creation activity for compliance, audit, or security purposes. Whether it's identifying who created a user or validating if the action was successful, Directory Audit Logs can help.

This article walks through a Graph PowerShell script that fetches all “Add User” events from the User Management audit category and displays the following details:

• 🕒 Created Time
• 👤 Created User (New User’s UPN)
• 🧑‍💼 Created By (Initiator UPN)
• ✅ Result Status (Success or Failure)

The Script

# Connect to Microsoft Graph with AuditLog permissions
Connect-MgGraph -Scopes "AuditLog.Read.All"

# Set the filter parameters
$category = "UserManagement"
$activity = "Add user"
$startDate = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ") # Adjust as needed
                                
# Query the directory audit logs
$logs = Get-MgAuditLogDirectoryAudit -All `
-Filter "category eq '$category' and activityDisplayName eq '$activity' and activityDateTime ge $startDate" `
-Property activityDateTime, initiatedBy, targetResources, result, category, activityDisplayName
                                
# Format the output
$results = foreach ($log in $logs) {
    $createdUser = $log.targetResources | Where-Object { $_.type -eq "User" } | Select-Object -First 1
                                    
    [PSCustomObject]@{
        'Created Time' = $log.activityDateTime
        'Created User' = $createdUser.userPrincipalName
        'Created By'   = $log.initiatedBy.user.userPrincipalName
        'Result Status'= $log.result
    }
}
                                
# Display the results
$results | Format-Table -AutoSize

How the Script Works

Here’s how this script operates behind the scenes:

1. Connect-MgGraph: Authenticates using AuditLog.Read.All scope (delegated permission).
2. Filter by Category and Activity: The script filters logs for UserManagement category and Add user activity.
3. Date Range: It fetches logs from the last 30 days. You can modify this by changing the $startDate variable.
4. Fetch and Format: It extracts:
• The time of the event
• The newly created user
• The admin or user who initiated the creation
• The outcome (success/failure)
5. Output: The final result is formatted in a readable table.

Further Enhancements

You can enhance this script to meet additional audit needs:

• Export to CSV

$results | Export-Csv -Path "AddUserAuditLog.csv" -NoTypeInformation

• Filter by Initiator

$results | Where-Object { $_.'Created By' -eq "admin@domain.com" }

• Extend the Date Range Use Task Scheduler or Azure Automation to email the report to IT weekly.

$startDate = (Get-Date).AddDays(-90).ToString("yyyy-MM-ddTHH:mm:ssZ")

• Email Alerts for Failures

Highlight and notify about failures in user creation:

$failures = $results | Where-Object { $_.'Result Status' -ne "success" }

Possible Errors & Solutions

Error	Cause	Solution
Access Denied	Missing permissions	Ensure you’ve consented to AuditLog.Read.All
Property not found	Incorrect property name	Ensure property names like activityDisplayName, initiatedBy, and targetResources are correct
No output returned	No logs match criteria	Extend $startDate or verify if users were added in the timeframe
Unauthorized	Not logged in	Run Connect-MgGraph before executing the script

Conclusion

Tracking user creation activity using audit logs is crucial for maintaining transparency and accountability in Microsoft 365 environments. With Graph PowerShell, admins can automate this tracking and even build on top of the script to generate alerts, reports, or integrate with ticketing systems.

If you’re looking to bolster your compliance monitoring or simplify admin investigations, this script provides a powerful, extensible foundation.