Entra / Microsoft 365 · Teams
Report teams creationby email
A script to locate Office 365 audit records for the creation of new Teams and report the fact via email.
Connect & set up
Run these once per session. All scopes are read-only unless the script makes changes.
Connect-ExchangeOnline -ShowBanner:$false
Run it
The main script. Copy it, or download the .ps1 and run it from your console.
param([int] $LookbackDays = 90,[string] $StartDate = (Get-Date).AddDays(-$LookbackDays); $EndDate = (Get-Date).AddDays(1),[string] $EndDate = (Get-Date))#HTML header with styles$htmlhead="<html><style>BODY{font-family: Arial; font-size: 10pt;}H1{font-size: 22px;}H2{font-size: 18px; padding-top: 10px;}H3{font-size: 16px; padding-top: 8px;}</style>"#Header for the message$HtmlBody = "<body><h1>Teams Creation Report for teams created between $(Get-Date($StartDate) -format g) and $(Get-Date($EndDate) -format g)</h1><p><strong>Generated:</strong> $(Get-Date -Format g)</p><h2><u>Details of Teams Created</u></h2>"#Person to get the email$EmailRecipient = "SomeoneinYourTenant@Tenant.com" # <- Update this with the real addressIf (-not $O365Cred) { #Make sure we have credentials$O365Cred = (Get-Credential)}$MsgFrom = $O365Cred.UserName ; $SmtpServer = "smtp.office365.com" ; $SmtpPort = '587'# Find records for team creation in the Office 365 audit logWrite-Host "Looking for Team Creation Audit Records..."$Records = (Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations "TeamCreated" -ResultSize 1000)If ($Records.Count -eq 0) {Write-Host "No Team Creation records found." }Else {Write-Host "Processing" $Records.Count "audit records..."$Report = [System.Collections.Generic.List[Object]]::new()ForEach ($Rec in $Records) {$AuditData = ConvertFrom-Json $Rec.Auditdata$O365Group = (Get-UnifiedGroup -Identity $AuditData.TeamName) # Need some Microsoft 365 Group properties# If you're using sensitivity labels for container management, you should resolve the GUID returned for classification to a display nameIf ($O365Group.Classification -eq $Null) { $Classification = $O365Group.SensitivityLabel.Guid }Else { $Classification = $O365Group.Classification }$ReportLine = [PSCustomObject][Ordered]@{TimeStamp = Get-Date($AuditData.CreationTime) -format gUser = $AuditData.UserIdAction = $AuditData.OperationTeamName = $AuditData.TeamNamePrivacy = $O365Group.AccessTypeClassification = $O365Group.ClassificationMemberCount = $O365Group.GroupMemberCountGuestCount = $O365Group.GroupExternalMemberCountManagedBy = $O365Group.ManagedBy}$Report.Add($ReportLine) }}# Add details of each team$Report | Sort TeamName -Unique | ForEach {$htmlHeaderTeam = "<h2>" + $_.TeamName + "</h2>"$htmlline1 = "<p>Created on <b>" + $_.TimeStamp + "</b> by: </b>" + $_.User + "</b></p>"$htmlline2 = "<p>Privacy: <b>" + $_.Privacy + "</b> Classification: <b>" + $_.Classification + "</b></p>"$htmlline3 = "<p>Member count: <b>" + $_.MemberCount + "</b> Guest members: <b>" + $_.GuestCount + "</b></p>"$htmlbody = $htmlbody + $htmlheaderTeam + $htmlline1 + $htmlline2 + $htmlline3 + "<p>"}# Finish up the HTML message body$HtmlMsg = "</body></html>" + $HtmlHead + $HtmlBody# Construct the message parameters and send it off...$MsgParam = @{To = $EmailRecipientFrom = $MsgFromSubject = "Teams Creation Report"Body = $HtmlMsgSmtpServer = $SmtpServerPort = $SmtpPortCredential = $O365Cred }Send-MailMessage @msgParam -UseSSL -BodyAsHTML ; Write-Host "Teams Creation Report sent by email to" $EmailRecipient
Parameters
ParameterDefaultNotes
-LookbackDays90Number of days back to search the unified audit log.-StartDate(Get-Date).AddDays(-90); $EndDate = (Get-Date).AddDays(1)Start of the reporting window.-EndDate(Get-Date)End of the reporting window.Attribution
Author
Office365itpros