Teams Meeting Audit Events Available to Purview Audit Standard Customers

Teams Meeting Audit Events for Meeting and Participant Details

Last week’s news that Microsoft has started to make a set of premium audit events available to customers with Purview Audit (standard) licenses was welcome. The idea is that customers can use significant audit events like MailItemsAccessed and Send in forensic investigations of user activity that are often necessary when account compromise is suspected. Previously, Purview audit only generated these events for accounts with Purview Audit (Premium) licenses.

Teams Meetings Audit Events

Along with the Exchange events, Microsoft is making an additional fifteen Teams audit events available to Purview Audit standard customers. Among the set are audit events to capture details of meetings and meeting participants. The MeetingDetail event captures information such as the start and end time for a meeting, the URL to join the meeting, and the modalities used in a meeting such as audio and video. The MeetingParticipant event captures details of user participation in a meeting including their join and leave times and is like the information recorded in the attendance report.

I wrote about the Teams meeting audit events after their introduction in 2021 and explained how to generate a report from the audit records (I have since updated the script to use the Microsoft Graph PowerShell SDK to resolve user identifiers instead of the Azure AD module). The same script works today, and you can get it using the link in the original article.

In passing, MC772556 (updated 17 May 2024, Microsoft 365 roadmap item 381953) announces that Microsoft plans to shorten the URL created for Teams meetings to introduce a simplified syntax and make the links easier to share. Old URLs will continue to work after the introduction of the new version, now scheduled for August 2024.

A Delay in Audit Event Generation

In my 2021 article, I noted that Teams meeting audit events are generated some time after a meeting concludes. Workloads usually generate audit events soon after an action like a file modification or group creation completes. Teams meeting audit events appear in the audit log several hours after a meeting finishes. The same continues today. It’s possible that the delay occurs because a meeting can last past its scheduled time and can restart after an initial event concludes. The delay might exist to allow Teams to be sure that meetings are over before it generates the audit events.

Some Data Missing from Teams Meeting Audit Events

In addition, the meeting detail event doesn’t include some important properties about the scheduled event. For instance, the meeting subject isn’t captured (Figure 1), nor is the scheduled start and end times. Instead, the event records the actual start and end times of a meeting. Not capturing the meeting subject might be for privacy reasons.

Looking at the meeting participant detail events, we see the duration (in seconds) of the connection by individual participants to a meeting, details of the device used, and the meeting type (scheduled or ad hoc). But it seems like the audit events don’t capture details of guest users who join meetings when signed into teams in their host tenants.

On the other hand, Teams meeting audit events do capture the participation of people from other tenants who don’t have guest accounts in your tenant (federated participants). The upshot is that the participation information for some meetings is incomplete. It’s fine if you only ever want to report on the activity of internal users, but the big picture misses some important data.

Real Forensic Information

My conclusion is that if it’s necessary to report full details about Teams meetings, including attendance reports, you must use the Get OnlineMeeting Graph API. This is how the Teams clients fetch information about meetings.

Some complications exist. First, you need an Entra ID app registration to hold the application permissions necessary to read calendar events from user mailboxes and the meeting details. Second, unlike using other Graph application permissions to access data from all accounts in a tenant, Teams uses application access policies to protect online event information. An application access policy grants access to an app to online event information for specific accounts. Another complication is the formatting of the meeting identifiers used to access online events.

Once you have all the necessary access, reporting Teams meetings is a matter of finding online events in user calendars and retrieving the information for each event. I’ll write about how to create the definitive report about Teams online meetings when I finish up the script.

---

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.