M365Corner
M365 PowerShell

Track "Add Group" Events in Microsoft 365 using Graph PowerShell

Auditing group creation in Microsoft 365 is essential for security and compliance. Whether you're troubleshooting unauthorized group creation or simply keeping a log of all new groups, Graph PowerShell provides a powerful way to retrieve and analyze audit logs in real time.

In this article, we'll walk you through a Graph PowerShell script that fetches "Add group" events from the GroupManagement audit category, showing who created the group, when, and whether it succeeded.


The Script: Query "Add Group" Events via Graph PowerShell

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "AuditLog.Read.All", "Directory.Read.All"
                                
# Define time range - adjust as needed
$startDate = (Get-Date).AddDays(-7).ToString("yyyy-MM-ddTHH:mm:ssZ")
$endDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")
                                
# Get 'Add group' events from GroupManagement category
$logs = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'Add group' and category eq 'GroupManagement' and activityDateTime ge $startDate and activityDateTime le $endDate" -All
                                
# Format and display results
$logs | ForEach-Object {
    $initiatedBy = if ($_.InitiatedBy.User.UserPrincipalName) {
        $_.InitiatedBy.User.UserPrincipalName
        } else {
        $_.InitiatedBy.App.DisplayName
    }

    [PSCustomObject]@{
        "Created Time"       = $_.ActivityDateTime
        "Created Group Name" = $_.TargetResources[0].DisplayName
        "Created By"         = $initiatedBy
        "Result Status"      = $_.Result
   }
} | Format-Table -AutoSize

How the Script Works

Here's a breakdown of how the script functions:

  • Connects to Microsoft Graph using the required scopes:

    • AuditLog.Read.All and Directory.Read.All.

  • Defines a time range (past 7 days) using Get-Date. This can be customized as needed.
  • Uses filtering to retrieve only events where:
    • activityDisplayName is "Add group"
    • category is "GroupManagement"
  • Processes each log entry to extract and display:
    • Created Time: When the group was created.
    • Created Group Name: Name of the newly created group.
    • Created By: Shows the admin UPN (if available), else shows the app name.
    • Result Status: Whether the creation was successful or failed.
  • Displays output neatly in table format.

Further Enhancements

You can take this script even further by customizing it for reporting, automation, or auditing needs. Below are some useful ideas:

  1. Export to CSV

    2. Want to archive or share the report with others?

    Just pipe the output into a CSV export like this:

    ... | Export-Csv "GroupCreationAudit.csv" -NoTypeInformation

    This creates a clean spreadsheet with all the data.

  2. Let Users Set the Date Range

    3. Instead of hardcoding 7 days, make the script interactive:

    $startDate = Read-Host "Enter start date (YYYY-MM-DD)"
$endDate = Read-Host "Enter end date (YYYY-MM-DD)"

    This allows you or other admins to specify custom time ranges on the fly.

  3. Add More Columns (e.g., Group ID, Correlation ID)

    4. Want deeper insights? Add fields like:

    • Group ID → _.TargetResources[0].Id
    • Correlation ID → _.CorrelationId
    • Client IP Address → _.InitiatedBy.User.IpAddress (if available)

    These help with advanced auditing and traceability across logs.

  4. Turn It into a Scheduled Report

    5. Schedule this script to run weekly using Task Scheduler or Azure Automation, and email the results to your IT/security team.

  5. Build a GUI based Version

    6. For user-friendly access, consider embedding this functionality into an internal portal using a PowerShell.


Possible Errors & Solutions

Error Cause Solution
Insufficient privileges to complete the operation. Missing required Graph permissions. Run Connect-MgGraph -Scopes "AuditLog.Read.All", "Directory.Read.All" with sufficient privileges. Admin consent may be required.
TargetResources[0] is null Some audit entries may not have associated group data. Use a null check to skip or handle such entries gracefully.
InitiatedBy.User.UserPrincipalName is blank Operation was performed by an app, not a user. Fall back to InitiatedBy.App.DisplayName as handled in the script.
activityDateTime not filtering correctly Date format issue in filter. Ensure ISO format yyyy-MM-ddTHH:mm:ssZ is used, as done in the script.

Conclusion

Tracking group creation activities is a critical part of Microsoft 365 governance. This script helps you monitor all "Add group" events using Microsoft Graph PowerShell, giving you visibility into when, who, and how groups are created—right from your PowerShell console.

By customizing and extending this base script, administrators can build detailed audit reports, automate alerts, and strengthen their M365 security posture.


Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex