Auditing - Ensure The Account Provisioning Activity Report Is Reviewed At Least Weekly

 












Summary

This report consists of the details of any account provisioning that was attempted by an external application.

Reason

If a third party provider is not used to manage accounts, any entry on the list is likely illicit; otherwise, it is a great way to monitor transaction volumes and look for new or unusual third party applications that are managing users. If anything unusual is seen, then, the provider must be informed in order to determine the authenticity of the action.                                                                                                                                               

How to?

To review the report, use the Microsoft 365 Admin center:
  1. Select Security.
  2. Click on Audit then select Search.
  3. Set Activities to Added user for User administration activities.
  4. Now, set Start date and End date.
  5. Click Search.
  6. Review.

To review Account Provisioning Activity Report, use the Exchange Online PowerShell Module:
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell command: 

  3. $startDate = ((Get-Date) .AddDays (-7)) .ToShortDateString ()
    $endDate = (Get-Date) .ToShortDateString ()
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate | Where-Object
{ $_.Operations -eq "add user." }

      3. Review the output

Monitor:

To verify that the report is being reviewed at least weekly, confirm that the necessary procedures are in place and being followed.



































































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)