Solved

Inventory Microsoft 365 / OneDrive username?

Forum|Forum|5 years ago
July 22, 2020
3 replies
22 views

+3

NullPointer
New Contributor
9 replies

We've recently run into an issue where a user accidentally logged in to their personal Microsoft 365 account rather than the company account, which creates some data headaches as company files were syncing to a personal account.

I'm trying to find a way to collect the Microsoft 365 and OneDrive usernames into an Extension Attribute so we can audit them, but I haven't had any luck. They don't seem to be stored in a plist anywhere, and I haven't been able to find a terminal binary that will report the login names.

Any ideas? Thank you!

Best answer by frootion

Try this extension attribute. We use it to track active O365 Logon’s on machines.

#!/bin/sh

# Functions
function DetectO365Logon {
    # creates a list of local usernames with UIDs above 500 (not hidden)
    userList=$( /usr/bin/dscl /Local/Default -list /Users uid | /usr/bin/awk '$2 >= 501 { print $1 }' )

    while IFS= read aUser
    do
        # get the user's home folder path
        HOMEPATH=$( eval /bin/echo ~$aUser )

        # execute some sql to get the active O365 logon, if any
        local RESULT=$(/usr/bin/sqlite3 "$HOMEPATH/Library/Group Containers/UBF8T346G9.Office/MicrosoftRegistrationDB.reg" "SELECT value from HKEY_CURRENT_USER_values WHERE name='UserDisplayName' LIMIT 1;")

        # checks to see if we got a hit
        if [ "$RESULT" != "" ]; then
            logons+="$RESULT;"
        fi
    done <<< "$userList"

    /bin/echo "$logons"
}

## Main
O365LOGONS=$(DetectO365Logon)
if [ "$O365LOGONS" != "" ]; then
    /bin/echo "<result>$O365LOGONS</result>"
else
    /bin/echo "<result>None detected</result>"
fi

exit 0

Best,
D.

F

+6

frootion
New Contributor
27 replies
Answer
Forum|Forum|5 years ago
July 22, 2020

Try this extension attribute. We use it to track active O365 Logon’s on machines.

#!/bin/sh

# Functions
function DetectO365Logon {
    # creates a list of local usernames with UIDs above 500 (not hidden)
    userList=$( /usr/bin/dscl /Local/Default -list /Users uid | /usr/bin/awk '$2 >= 501 { print $1 }' )

    while IFS= read aUser
    do
        # get the user's home folder path
        HOMEPATH=$( eval /bin/echo ~$aUser )

        # execute some sql to get the active O365 logon, if any
        local RESULT=$(/usr/bin/sqlite3 "$HOMEPATH/Library/Group Containers/UBF8T346G9.Office/MicrosoftRegistrationDB.reg" "SELECT value from HKEY_CURRENT_USER_values WHERE name='UserDisplayName' LIMIT 1;")

        # checks to see if we got a hit
        if [ "$RESULT" != "" ]; then
            logons+="$RESULT;"
        fi
    done <<< "$userList"

    /bin/echo "$logons"
}

## Main
O365LOGONS=$(DetectO365Logon)
if [ "$O365LOGONS" != "" ]; then
    /bin/echo "<result>$O365LOGONS</result>"
else
    /bin/echo "<result>None detected</result>"
fi

exit 0

Best,
D.

N

+3

NullPointer
Author
New Contributor
9 replies
Forum|Forum|5 years ago
July 23, 2020

Works great, thank you!

+16

pete_c
Honored Contributor
258 replies
Forum|Forum|2 years ago
January 19, 2023

Has anyone determined if its possible to also read a secondary or personal account signed into OneDrive under the same local user account?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded