Guest Activity Notification in Microsoft Teams

Guest Access in Microsoft Teams allows people from outside your organization to seamlessly collaborate with you in the same team in Microsoft Teams as if they were an employee. For guests this could be contractors, vendors, customers, etc. Those guests may be a guest member to many teams outside of their organization – so how do they know when there is new activity occurring in those other teams, without having to switch tenants in the Microsoft Teams client?

If you are using the Microsoft Teams desktop client, anytime you are @ mentioned, or there is a team or channel announcement (team or channel @ mention), a new notification badge will appear above your photo. This is a nice feature as I can be working in my primary tenant (perhaps my company’s tenant) but if you @ mention me (my “guest account”) in your tenant I will be notified and can then make a decision to switch tenants and check the activity hub.

In the lower left corner of the Microsoft Teams desktop client, above my profile photo will be a notification badge. This notification badge is essentially a counter and will display the number of new unread notifications I have in my other tenants that I am a guest of. Here’s an example where I have 3 unread notifications:

 

Clicking on my profile photo will expand the menu, and I can see there are 3 unread notifications in the Microsoft (Guest) tenant:

This is a quick and easy way to stay organized when it comes to guest access in Microsoft Teams and keeping track of activity in other tenants. Enjoy!

Microsoft Teams: Audit Log of Activity

Introduction: The purpose of this blog post is to describe how to use the audit log in Office 365 to understand what changes occurred in Microsoft Teams, when and by whom. For example, the date and time when a team was deleted and who deleted it. This can be extremely powerful evidence when conducting investigations.

What is the audit log? The audit log is a reporting tool that allows you to view both user and IT admin activity in Office 365. For example, when a user’s password wash changed and by whom in IT, or when a user accessed their mailbox and the activity they performed while connected. This log is a unified log and all activities are recorded in a centralized location allowing you to search them through a single console. The following services can be searched for user and administrator activity:

  • SharePoint
  • OneDrive
  • Exchange
  • Azure Active Directory
  • Sway
  • Microsoft Teams
  • Power BI
  • Yammer
  • Dynamics 365
  • File activities
  • Page activities
  • Folder activities
  • Sharing and access request activities
  • Synchronization activities
  • Site administration
  • Role administration activities
  • eDiscovery

How long is data stored? Activity in the audit log is stored for 90 days.

How do I access the audit log? The audit log is accessible in the Office 365 Admin Portal browse to the Security & Compliance Admin Center -> Search & investigation -> Audit log search. It can also be accessed via the Office 365 Management API in addition it can also be accessed via PowerShell using Search-UnifiedAuditLog, see this article for more information.

How do I enable the audit log? By default, the audit log is disabled in your Office 365 tenant. In order for the activity to be recorded and searchable, the log needs to be enabled. Note, the audit log can be connected to a SIEM (Security Incident and Event Manager) via the Office 365 Management API. See this article for more information. To enable the audit log in your tenant, in the Office 365 Admin Portal browse to the Security & Compliance Admin Center -> Search & investigation -> Audit log search. Click Start recording user and admin activities then click Turn On:

In addition, the audit log can be turned on using PowerShell:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

 

What activity in Microsoft Teams is recorded? The following user and admin activity in Microsoft Teams is recorded to the Office 365 audit log:

  • Created team
  • Deleted team
  • Added channel
  • Deleted channel
  • Changed organization setting
  • Changed team setting
  • Changed channel setting
  • Changed setting (legacy)
  • User signed in to Teams
  • Added bot to team
  • Removed bot from team
  • Added Tab
  • Removed tab
  • Added connector
  • Removed Connector

How long does it take for activity to be written to the audit log? After the activity has been performed in the tenant (i.e deleting a team) it can take up to 24 hours for that activity to be written to the audit log.

How do I search the audit log? You can search the audit log by specifying start/end dates/times, specific user accounts, or specific files, folders or sites.

What does the Microsoft Teams activity look like in the audit log? Below are screenshots of how Microsoft Teams activities appear in the audit log.

Filtering on Microsoft Teams:


Activity in the search results:


Details of a specific activity, in this example deleting a team:


Clicking on the hyperlink of the user’s email address, then clicking the Recent Activity tab, allows me to see all recorded activity by that user in Microsoft Teams:

Can I be alerted on specific activity?

In addition, I can create an alert for when specific activity occurs. In the search console click New Alert Policy. I will then title the alert “Microsoft Teams deleted team activity”, with a custom alert type and filter on just the Deleted team. I will then ask it to send alerts to my global administrator and click Save when finished.

Conclusion: Activity that a user and administrator performs in Microsoft Teams gets written to a centralized log enabling IT to search the log to provide evidence during either an investigation, routine audits or to be alerted when changes happen within the environment. If you have feedback, input or comments please let me know below. Enjoy!