Find Out Who Invited Guest User Accounts in Microsoft Entra ID by Using Audit Logs

Do you want to know who invited guest users to your Microsoft Entra ID tenant? If so, you might be interested in using the audit logs feature, which allows you to track and monitor all the activities performed in your tenant, including user invitations.

I will show you how to use the audit logs to find out who invited guest users, when, and why. In addition, I will explain the benefits of using this feature and how to export the audit logs for further analysis.

What are Audit Logs and Why Use Them?

Audit logs are records of all the changes and operations that occur in your Microsoft Entra ID tenant, such as user and group management, application and resource access, policy updates, and more. Audit logs can help you with the following tasks:

• Troubleshoot issues and errors
• Detect and respond to security incidents
• Comply with regulatory and legal requirements
• Audit and review user actions and permissions

One of the activities that you can track with audit logs is user invitations, which are used to invite external users (also known as guest users) to access your tenant’s resources. Guest users are users who have an email address that is not part of your tenant’s domain, such as Gmail, Yahoo, or other Microsoft Entra ID organizations.

You might want to invite guest users to collaborate with your organization on projects, share documents, or access applications. However, you also want to make sure that guest users are invited for legitimate reasons and that they have the appropriate permissions and access.

By using the audit logs, you can find out who invited guest users and when they did it. This can help you verify the validity and security of the invitations, as well as identify any potential issues or risks.

How to Search Audit Logs for User Invitations

To search the audit logs for user invitations, you need to have one of the following roles in Microsoft Entra ID:

• Global administrator
• Security administrator
• Security reader
• Report reader
• Global reader

You also need to have a Microsoft Entra ID Premium P1 or P2 license.

To search the audit logs, follow these steps:

1. Sign in to the Microsoft Entra admin center as one of the roles mentioned above.
2. Go to Identity > Monitoring & health > Audit logs.
3. At the top, change the Category to UserManagement, the Activity to Invite external user, and the Service to Invited users. It will likely be helpful to change the default Date range to be further back than 24 hours such as the last 1 month.
4. You will see a list of user invitations. When clicking each to get to the details of the audit log you will see the following information:
   1. Date: The date and time of the invitation
   2. Initiated by (actor): The user who sent the invitation
   3. Target: The guest user who received the invitation
   4. Status: The status of the invitation (success or failure)
   5. IPAddr: The IP address and location of the user who sent the invitation

How to Export Audit Logs for User Invitations

If you want to export the audit logs for user invitations, you can download them as a CSV or JSON file. To do so, follow these steps:

1. After applying the filters as described in the previous section, select Download at the top.
2. Choose the file format (CSV or JSON) and the download location.
3. Open the file with your preferred application, such as Excel.

Have any questions about how to search Microsoft Entra ID audit logs for invited guest users or about Microsoft Entra in general? Please reach out to our experts at any time!