Articles on: Advanced Threat Protection

Guest Users on Microsoft Teams Weekly Report

This Script generates report and email all the users who added any guest user in any team during the last 7 days.



$O365Cred = Get-Credential

Connect-AzureAD -Credential $O365Cred

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $O365Cred -Authentication Basic -AllowRedirection

Import-PSSession $Session -DisableNameChecking -AllowClobber

FindReportGuestsAddedTeams.PS1



https://github.com/12Knocksinna/Office365itpros/blob/master/FindReportGuestsAddedTeams.PS1



Find and report guest users added to Teams in the last week



Some tenants like to keep a close eye on the guest user accounts that are added to Teams and want to report those accounts. This script



looks for audit records noting the guest additions over the last 7 days and extracts details of guest accounts if the accounts are created



in the same period (older accounts are ignored because they are likely approved). For any account found, we send a polite email to the admin



to tell them that they need to validate that the guest is OK.



$MsgFrom = "admin@m365x953294.onmicrosoft.com" # Set your own address for email notifications here.

$Report = [System.Collections.Generic.List[Object]]::new() # Create output file for report

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 # Set TLS 1.2 for SMTP

$Records = Search-UnifiedAuditLog -StartDate ((Get-Date).AddDays(-7)) -EndDate ((Get-Date).AddDays(1)) -ResultSize 5000 -Operations MemberAdded -RecordType MicrosoftTeams

If ($Records) {

   $Report = [System.Collections.Generic.List[Object]]::new() # Create output file for report

   Write-Host "Processing" $Records.Count "audit records for addition of users to Microsoft Teams"

   ForEach ($Rec in $Records) {

     $AuditData = Convertfrom-Json $Rec.AuditData # Get payload

     ForEach ($M in $AuditData.Members) { # Examine users added to see if any are guests

      If (($M -Like "*#EXT#@*") -and ($AuditData.CommunicationType -eq "Team")) { # We have a guest user who's been added to a team rather than a group chat

         $GuestUser = (Get-AzureADUser -ObjectId $M.UPN)

         $CreationDate = (Get-AzureADUserExtension -ObjectId $GuestUser.ObjectId).get_item("createdDateTime") 

         $AccountAge = ($CreationDate | New-TimeSpan).Days

         If ($AccountAge -le 7) { # Guest created within last 7 days so write out details

            $ReportLine = [PSCustomObject]@{ 

               Guest            = $GuestUser.Mail   

               Name             = $GuestUser.DisplayName

               Created          = $CreationDate 

               AgeInDays        = $AccountAge

               DateAddedTeams   = Get-Date($AuditData.CreationTime) -format g

               TeamName         = $AuditData.TeamName

               AddedBy          = $AuditData.UserId

               AADGroupId       = $AuditData.AADGroupId} 

            $Report.Add($ReportLine) 

         } # End if (AccountAge)   

     } # End if (Guest user check)

   } # End Foreach (Members)

 } # End ForEach (Records)

} #End if (Records)

If ($Report) { # Some records have been created, so let's report them.

  CLS

  $SmtpServer = "smtp.office365.com" ; $SmtpPort = '587'

  $ProgressDelta = 100/($Report.Count); $PercentComplete = 0; $UserNumber = 0

  # Define some variables for the message starting with HTML header with styles

  $htmlhead="<html>

     <style>

      BODY{font-family: Arial; font-size: 10pt;}

H1{font-size: 22px;}

H2{font-size: 18px; padding-top: 10px;}

H3{font-size: 16px; padding-top: 8px;}

    </style>"

  #Header for the message

  $HtmlBody = "<body>

     <h1>New Guest User Account Creation</h1>

     <p><strong>Date:</strong> $(Get-Date -Format g)</p>  

     <h2><u>New Update Available - Please Download Updated files for your eBook/u></h2>"

  # For each guest user found, create and send an email

  ForEach ($R in $Report) {

   $UserNumber++ 

   $UserStatus = $R.Name + "(" + $R.Guest + ") ["+ $UserNumber +"/" + $Users.Count + "]"

   Write-Progress -Activity "Processing user" -Status $UserStatus -PercentComplete $PercentComplete

   $PercentComplete += $ProgressDelta

   $BodyText = "<p><b><u>Details</u></b></p><p>Guest email address: $($R.Guest)</p><p>Guest name: $($R.Name)</p><p>Date added: $($R.DateAddedTeams)</p><p>Team added to: $($R.TeamName)</p><p>Recently you added a new guest user to our tenant by including them as a member in the $($R.TeamName) team. Please confirm that it is business-critical to allow this person access to tenant resources. If you do not confirm within the next week, we will automatically remove this guest account.</i></p><p>Best Regards</p><p><b>Your Friendly Admin</b></p>"

   $htmlHeaderUser = "<h2>A new guest user has been created in our tenant</h2>"; $htmlbody = $htmlheaderUser + $BodyText + "<p>"

   $HtmlMsg = "</body></html>" + $HtmlHead + $HtmlBody

  # Construct the message parameters and send it off...

    $MsgParam = @{

      To = $R.AddedBy

       From = $MsgFrom

       Subject = "New Guest User Added"

       Body = $HtmlMsg

       SmtpServer = $SmtpServer

       Port = $SmtpPort

       Credential = $O365Cred }

     Send-MailMessage @msgParam -UseSSL -BodyAsHTML 

  } # End ForEach

} # End if

Updated on: 31/01/2023

Was this article helpful?

Share your feedback

Cancel

Thank you!