Track “Remove Owner from Group” Events in Microsoft 365 Using Graph PowerShell

In Microsoft 365, group owners hold elevated privileges — including the ability to manage membership, settings, and integrations. When an owner is removed from a group, it’s important to know who performed the action, when it happened, and who was affected.

This article introduces a Graph PowerShell script that retrieves and reports all 'Remove owner from group' audit events under the GroupManagement category, along with:

• Removed Time
• Group Name
• Operation
• Removed Owner (Target UPN)
• Removed By (Actor UPN)

The Script: Audit Group Owner Removal Activity

# Connect to Microsoft Graph with required scopes
Connect-MgGraph -Scopes "AuditLog.Read.All", "Group.Read.All"
                                
# Define the Graph API URI for the audit log query
$uri = "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits" +
"?`$filter=activityDisplayName eq 'Remove owner from group' and category eq 'GroupManagement'" +
"&`$orderby=activityDateTime desc"
                                
# Call Graph API using Invoke-MgGraphRequest
$response = Invoke-MgGraphRequest -Method GET -Uri $uri
                                
# Prepare result collection
$results = @()
                                
foreach ($entry in $response.value) {
try {
$removedTime = $entry.activityDateTime
$operation   = $entry.activityDisplayName
$actorUPN    = $entry.initiatedBy.user.userPrincipalName

$groupId = ""
$groupName = ""
$removedOwnerUPN = ""
                                
# Extract group ID and removed owner's UPN
foreach ($target in $entry.targetResources) {
if ($target.type -eq "Group" -and $target.id) {
$groupId = $target.id
}
if ($target.type -eq "User" -and $target.userPrincipalName) {
$removedOwnerUPN = $target.userPrincipalName
}
}
                                
# Resolve group name using groupId
if ($groupId) {
try {
$group = Get-MgGroup -GroupId $groupId -Property DisplayName -ErrorAction Stop
$groupName = $group.DisplayName
} catch {
$groupName = "[Unknown Group]"
}
}

# Add result to output
$results += [PSCustomObject]@{
'Removed Time'   = $removedTime
'Group Name'     = $groupName
'Operation'      = $operation
'Removed Owner'  = $removedOwnerUPN
'Removed By'     = $actorUPN
}
} catch {
Write-Warning "Error processing entry: $($_)"
}
}
                                
# Output final report
if ($results.Count -eq 0) {
Write-Host "No 'Remove owner from group' events found in audit logs." -ForegroundColor Yellow
} else {
$results | Sort-Object 'Removed Time' -Descending | Format-Table -AutoSize
}
                            

How the Script Works

Required Permissions

This script uses the following Microsoft Graph delegated permissions:

• AuditLog.Read.All – to access directory audit logs
• Group.Read.All – to resolve group names using group IDs

🔧 Logic Overview

1. Connects to Graph

Using Connect-MgGraph, it grants access to audit log and group resources.

2. Queries Audit Logs

Filters entries by:

activityDisplayName eq 'Remove owner from group' and category eq 'GroupManagement'

3. Extracts Data Fields

From each log entry, it captures:

• The timestamp of the event
• The initiator of the action
• The removed user
• The group ID
4. Resolves Group Name

Since audit logs return only group IDs, the script calls Get-MgGroup to retrieve the actual group name (DisplayName).

5. Builds and Displays a Report

Outputs a clean table showing all key details related to owner removal events.

Further Enhancements

You can extend the script with the following features:

• Export to CSV

For reporting or archival:

$results | Export-Csv -Path "RemovedGroupOwners.csv" -NoTypeInformation

• Filter by Date

Use a $filter parameter to restrict results to the last 30 or 90 days:

...&`$filter=activityDisplayName eq 'Remove owner from group' and activityDateTime ge 2024-06-01T00:00:00Z

• Add Group Type or Description

Fetch additional metadata using:

Get-MgGroup -GroupId $groupId -Property GroupTypes, Description

• Automate Notifications

Integrate into a scheduled job or alerting workflow for real-time detection of high-risk owner removals.

Possible Errors & Solutions

Error	Cause	Solution
Access Denied	Missing Graph permissions	Use AuditLog.Read.All, Group.Read.All when connecting
Get-MgGroup : Resource not found	Group was deleted or soft-deleted	Use try/catch and label as [Unknown Group]
targetResources.userPrincipalName is null	Target does not include UPN	Skip or flag such entries gracefully
No events found	No owner removal activity in the time window	Confirm activity via Entra portal or adjust filters

Use Cases

Here are some practical use cases for this script:

• Security Monitoring

Detect unexpected changes in group ownership, especially for critical teams or admin groups.

• Compliance Reporting

Maintain audit trails of permission changes for external audits or regulatory frameworks.

• Change Investigations

See when and by whom a group owner was removed in case of access disruptions.

• Ownership Reviews

Assist with periodic access reviews and internal audits to ensure proper ownership.

Conclusion

Tracking when a group owner is removed is a crucial part of group governance in Microsoft 365. This Graph PowerShell script leverages audit logs and group metadata to give you a clear, actionable audit trail of ownership removals across your tenant.

By running this regularly, you can tighten your security posture, support compliance, and maintain full visibility over group-level administrative activity.