Inventory Microsoft 365 / OneDrive username?

NullPointer
New Contributor III

We've recently run into an issue where a user accidentally logged in to their personal Microsoft 365 account rather than the company account, which creates some data headaches as company files were syncing to a personal account.

I'm trying to find a way to collect the Microsoft 365 and OneDrive usernames into an Extension Attribute so we can audit them, but I haven't had any luck. They don't seem to be stored in a plist anywhere, and I haven't been able to find a terminal binary that will report the login names.

Any ideas? Thank you!

1 ACCEPTED SOLUTION

frootion
New Contributor III

Try this extension attribute. We use it to track active O365 Logon’s on machines.

#!/bin/sh

# Functions
function DetectO365Logon {
    # creates a list of local usernames with UIDs above 500 (not hidden)
    userList=$( /usr/bin/dscl /Local/Default -list /Users uid | /usr/bin/awk '$2 >= 501 { print $1 }' )

    while IFS= read aUser
    do
        # get the user's home folder path
        HOMEPATH=$( eval /bin/echo ~$aUser )

        # execute some sql to get the active O365 logon, if any
        local RESULT=$(/usr/bin/sqlite3 "$HOMEPATH/Library/Group Containers/UBF8T346G9.Office/MicrosoftRegistrationDB.reg" "SELECT value from HKEY_CURRENT_USER_values WHERE name='UserDisplayName' LIMIT 1;")

        # checks to see if we got a hit
        if [ "$RESULT" != "" ]; then
            logons+="$RESULT;"
        fi
    done <<< "$userList"

    /bin/echo "$logons"
}

## Main
O365LOGONS=$(DetectO365Logon)
if [ "$O365LOGONS" != "" ]; then
    /bin/echo "<result>$O365LOGONS</result>"
else
    /bin/echo "<result>None detected</result>"
fi

exit 0

Best,
D.

View solution in original post

3 REPLIES 3

frootion
New Contributor III

Try this extension attribute. We use it to track active O365 Logon’s on machines.

#!/bin/sh

# Functions
function DetectO365Logon {
    # creates a list of local usernames with UIDs above 500 (not hidden)
    userList=$( /usr/bin/dscl /Local/Default -list /Users uid | /usr/bin/awk '$2 >= 501 { print $1 }' )

    while IFS= read aUser
    do
        # get the user's home folder path
        HOMEPATH=$( eval /bin/echo ~$aUser )

        # execute some sql to get the active O365 logon, if any
        local RESULT=$(/usr/bin/sqlite3 "$HOMEPATH/Library/Group Containers/UBF8T346G9.Office/MicrosoftRegistrationDB.reg" "SELECT value from HKEY_CURRENT_USER_values WHERE name='UserDisplayName' LIMIT 1;")

        # checks to see if we got a hit
        if [ "$RESULT" != "" ]; then
            logons+="$RESULT;"
        fi
    done <<< "$userList"

    /bin/echo "$logons"
}

## Main
O365LOGONS=$(DetectO365Logon)
if [ "$O365LOGONS" != "" ]; then
    /bin/echo "<result>$O365LOGONS</result>"
else
    /bin/echo "<result>None detected</result>"
fi

exit 0

Best,
D.

NullPointer
New Contributor III

Works great, thank you!

pete_c
Contributor III

Has anyone determined if its possible to also read a secondary or personal account signed into OneDrive under the same local user account?