Skip to main content

We've recently run into an issue where a user accidentally logged in to their personal Microsoft 365 account rather than the company account, which creates some data headaches as company files were syncing to a personal account.



I'm trying to find a way to collect the Microsoft 365 and OneDrive usernames into an Extension Attribute so we can audit them, but I haven't had any luck. They don't seem to be stored in a plist anywhere, and I haven't been able to find a terminal binary that will report the login names.



Any ideas? Thank you!

Try this extension attribute. We use it to track active O365 Logon’s on machines. 



#!/bin/sh



# Functions

function DetectO365Logon {

    # creates a list of local usernames with UIDs above 500 (not hidden)

    userList=$( /usr/bin/dscl /Local/Default -list /Users uid | /usr/bin/awk '$2 >= 501 { print $1 }' )



    while IFS= read aUser

    do

        # get the user's home folder path

        HOMEPATH=$( eval /bin/echo ~$aUser )



        # execute some sql to get the active O365 logon, if any

        local RESULT=$(/usr/bin/sqlite3 "$HOMEPATH/Library/Group Containers/UBF8T346G9.Office/MicrosoftRegistrationDB.reg" "SELECT value from HKEY_CURRENT_USER_values WHERE name='UserDisplayName' LIMIT 1;")



        # checks to see if we got a hit

        if f "$RESULT" != "" ]; then

            logons+="$RESULT;"

        fi

    done <<< "$userList"



    /bin/echo "$logons"

}



## Main

O365LOGONS=$(DetectO365Logon)

if f "$O365LOGONS" != "" ]; then

    /bin/echo "<result>$O365LOGONS</result>"

else

    /bin/echo "<result>None detected</result>"

fi



exit 0


Best,
D.

Works great, thank you!

Has anyone determined if its possible to also read a secondary or personal account signed into OneDrive under the same local user account?

Terms & ConditionsCookie settings