Audit Disabled user accounts in Microsoft 365

In an organization’s Office 365 environment, user accounts may need to be disabled for various reasons such as when an employee is leaving the organization or due to security concerns.

However, determining when a user account was disabled can be a challenging task. In this blog post, we will see how to audit disabled user accounts in Office365, which includes finding below information. This information is really helpful for auditing and troubleshooting purpose.

  • Who disabled a user account in Office 365.
  • When a user account was disabled in Office 365 [Date/Time Stamp].

You can disable a user’s account by following below steps:

  • Login on Microsoft 365 admin center
  • Go to Users > Active users
  • Click on the user account you want to Disable.
  • A User account properties page will open on the right hand side.
  • Click on Block Sign-in to block the user account.
Official Information on Blocking a user in Office 365
Blocking someone prevents anyone from signing in as this user, and is a good idea when you think their password or username may have been compromised. When you block someone, it immediately stops any new sign-ins for that account, and if they’re signed in, they’ll be automatically signed out from all Microsoft services within 60 minutes. This won’t stop the account from receiving mail, and doesn’t delete any data.

You may get a requirement from security team to check and find out Who disabled a user account in office 365 and When a user account was disabled. For this information we need to check Unified Audit logs from Microsoft Purview Portal.

User and admin activities for different Microsoft 365 services are recorded and retained in unified audit log. The records can be searched and exported into Excel file for further analysis. By default Auditing is Enabled in Microsoft 365. However, the retention of the audit logs duration is dependent upon if you have Audit (Standard) or Audit (Premium) license.

To confirm if auditing is turned on for your organization, you can use the powershell cmdlet Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled. If you already have auditing enabled in your organization and have the right permissions to create a audit search. You can directly skip over to the section “Search Audit logs on Microsoft Purview portal“.

Which license is needed to Audit User and admin activities

Audit (Standard) and Audit (Premium) license is included in Microsoft 365 subscription packages. I have provide few common licenses below. Please refer to the link License Requirements to know about all other type of licenses which include Audit Standard or Audit Premium.

To check which all services are included in Unified audit log, you can click here Microsoft 365 services that support auditing.

  • Audit (Standard) license – Included in Microsoft 365 Enterprise E3, Microsoft 365 Business Premium etc.
  • Audit (Premium) license – Included in Microsoft 365 Enterprise E5 subscription, Microsoft 365 Enterprise E3 subscription + the Microsoft 365 E5 Compliance add-on etc.

How long audit log for user and admin activities is retained

Audit log retention is dependent on the Microsoft 365 License Subscription. Please refer to the license you are subscribed to and accordingly you will either get Audit (standard) or Audit (premium) features. Below are the retention period for Audit (Standard) and Audit (Premium) license.

  • Audit (Standard) provides 90 days audit log retention by default, that means you can search for activities within last 3 months.
  • Audit (Premium) provides 365 days (1 Year) audit log retention by default. This can be extended upto 10 years with an add-on license.

What Permissions are required for searching the audit log

You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. Global administrators in Office 365 and Microsoft 365 are automatically added as members of the Organization Management role group in Exchange Online.

Auditing is not enabled in my organization

It could be the case that Auditing of user and admin activities is not enabled in your organization. Instead of able to Start searching in from Audit option, you may see a button to Start recording user and admin activity button. You can either click on it to enable it from hre or use Powershell cmdlets to enable it.

Start Audit in Microsoft 365 from Purview

How to check if Auditing is enabled for Microsoft 365 using Powershell

You can also use Powershell cmdlets to check Auditing capability. If you find that Auditing is not enabled for your organization then you can enable it using below steps:

Install Exchange Online Powershell module

Install-module ExchangeOnlineManagement

Connect to Security and Compliance and Exchange Online

Connect-IPPSSession
Connect-ExchangeOnline

Check if Unified Auditing is Enabled

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
Get-AdminAuditLogConfig

Enable Unified Auditing using Set-AdminAuditLogConfig

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Set-AdminAuditLogConfig

Get-AdminAuditLogConfig cmdlet will work fine, However if you get below error while running Set-AdminAuditLogConfig cmdlet. This error is caused due to not connected to Exchange Online. Please make sure you are connected to exchange online using Connect-ExchangeOnline cmdlet first before running Set-AdminAuditLogConfig.

Error while running Set-AdminAuditLogConfig
PS C:\Users\Jatin> Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Set-AdminAuditLogConfig : The term ‘Set-AdminAuditLogConfig’ is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again.
At line:1 char:1
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
~~~~~~~ CategoryInfo : ObjectNotFound: (Set-AdminAuditLogConfig:String) [], CommandNotFoundException
FullyQualifiedErrorId : CommandNotFoundException

Search Audit logs on Microsoft Purview portal

We need to start a search in the Audit logs from Microsoft Purview portal. Let’s check the steps:

  • Login on Microsoft Purview portal.
  • Click on Audit under Solutions.
  • Start a New Search by providing Date range and filter criteria.
Search Audit logs on Microsoft Purview portal
  • Monitor the Job status, you can check its Progress, Search time and Total results returned. In my case it took around 2h 35m to complete. Once its Completed, click on the Search to Open the search results.
  • You can click on Export button to export the report.
Export Audit logs Microsoft Purview

Export Job will start and after a while you will be able to download the results.

Audit Export in Progress Microsoft Purview

You can track the progress of the Export from the Audit Search Job itself.

Audit Export status track Microsoft Purview

After the Export Job is finished, You will get a message that “Your export is complete. You can download it now from your browser’s Downloads File. Click on Downloads file link to export the data in a CSV file.

Audit Export Complete Microsoft Purview Downloads file

Filter Search Results to find Disabled User Account AuditData

After you have downloaded the Export which will be in a CSV file, You can Apply Filter on the top column and Filter Operation column to search for Disable Account.

Filter Search Results to find Disabled User Account AuditData

Who Disabled a user account and When it was Disabled ?

After you filter the Operations Column for Disable accounts. Search for the user account for which you want to Audit and find these details. If you find the user in Auditdata Column, check the Corresponding UserId column which will suggest who disabled this user account.

AuditData column provides a lot of details about the operation including When a user account was disabled. I will recommend to copy the AuditData record in a notepad for further analysis to find more details about the operation.

Who Disabled a user account and When it was Disabled in Office 365?

Once you copy AuditData Record in a notepad, you will be able to find a lot of details about the operation including below details:

  • TimeStamp of when a user account was disabled in Office 365.
  • Which Operation was performed on the user account
  • The User’s ObjectID / account which was disabled.
  • Who disabled this user account.
Audit log data for Disable User account

Conclusion

In this blog post, we have audited disabled user account data, you can also Filter the AzureActiveDirectory Audit export to explore further to find other User and admin activities which we not not touched in this blog post. For Example: You could audit the data about a Group membership, User account deletion, When a user was logged in, When a user was last updated etc.

READ NEXT