In Microsoft 365 group changes may originate from multiple administrative interfaces. Group may be modified in EntraID, Exchange Online, synchronized from on premises Active Directory, or through multiple different Powershell interfaces.
When modifications to a group are made audit event entries are created in the EntraID audit logs. In general, the information provided in these events include the properties changed and the user that initiated the change. There are some instances though where this information may not be as helpful as it may seem. Let us explore one such scenario and look at how to track down the actor that originated the change.
When a group is a cloud only group meaning that it was created directly in Microsoft 365 the attributes of the group can be modified using Microsoft 365 administrative interfaces. For example, and administrator with Exchange rights may utilize the Exchange Powershell to create a new distribution group. When this operation is performed an EntraID audit log entry Add Group is generated that resembles the following:
Activity
Date (UTC)
8/27/2024, 3:57 PM
Activity Type
Add group
Correlation ID
597328d9-9acb-4255-9662-29f55cbe5a95
Category
GroupManagement
Status
success
Status reason
User Agent
Initiated by (actor)
Type
Application
Display Name
Microsoft Substrate Management
App ID
Service principal ID
abd7b61e-df48-45d6-920a-2f22ab1f273d
Service principal name
Target
Type
Group
Id
1a87c12f-7a6a-40bd-9709-e8e3e1559148
Display Name
AuditTest
User Principal Name
Group Type
unknownFutureValue
Note that the above audit log entry is in UTC. This is done by changing the audit log search from local time to UTC display.
When reviewing the audit log entry the actor that performed the operation is “Microsoft Substrate Management”. In this case “Microsoft Substrate Management” is an internal service principal that is utilized by the dual write process between Exchange Online and EntraID. The dual write process is responsible for taking changes that originate in Exchange Online and simultaneously writing them to both the object in EntraID and the object in Exchange Online. From a security standpoint this confirms that the group was added and that it was added outside of EntraiD in Exchange Online but fails to indicate who added the group.
To make the determination of who created the group the Unified Audit logs must be consulted. To search the Unified Audit logs Exchange Online Powershell may be utilized. In this case we know that all group creation in Exchange Online starts with the new-distributionGroup command. The date range specified in the command maybe correlated to the EntraID audit log event timestamp.
Search-UnifiedAuditLog -StartDate "8/27/2024 00:00" -EndDate "8/27/2024 23:59" -Operations "New-DistributionGroup" -ResultSize 5000 -SessionCommand ReturnLargeSet | export-csv -path "c:\temp\group.csv" -NoTypeinformation
The resulting CSV file contains all invocations of the new-DistributionGroup command. This CSV file can be imported into a Powershell array for further analysis.
$audit =@()
$audit += import-csv c:\temp\group.csv
For($i = 0; $i -lt $audit.Count; $i++) {"{0}) {1}" -f ($i),$audit[$i].CreationDate}
This will generate a list of each array entry ID and the creation date timestamp. This date time stamp is also in UTC and should match (or be close to) the EntraID audit log entry.
0) 8/27/2024 3:57:11 PM
In my example there is only one entry. Using the array entry ID we can extract information regarding the unified audit log entry.
$audit[0].creationDate;$audit[0].userIDs;(ConvertFrom-Json $audit[0].auditData).objectID
8/27/2024 3:57:11 PM
globalAdmin@domain.onmicrosoft.com
NAMPR04A010.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/domain.onmicrosoft.com/AuditTest
In this case the group AuditTest was created by the user GlobalAdmin at 8/27/2024 3:57:11 pm UTC.
There are also multiple other operations that you might filter the Unified Audit logs on that correlate to EntraID audit log entries.
- Set-DistributionGroup when updating the properties of a distribution group.
- Remove-DistributionGroup when removing a distribution group.
- Add-DistributionGroupMember when adding a distribution group member.
- Remove-DistributionGroupMember when removing a distribution group member.
To capture these items from the Unified Audit logs change the commandlet in the search command.
Search-UnifiedAuditLog -StartDate "8/27/2024 00:00" -EndDate "8/27/2024 23:59" -Operations "Add-DistributionGroupMember" -ResultSize 5000 -SessionCommand ReturnLargeSet | export-csv -path "c:\temp\group.csv" -NoTypeinformation
Administrators may combine the entries from the EntraID audit logs with their counterparts from the Unified Audit Logs to determine changes to groups that occur outside the EntraID administrative interfaces.