Yes, I test in my environment, the commands above work for find who perform the add/remove DL member operation
Search-AdminAuditLog -Cmdlets Add-DistributionGroupMember -ObjectIds name | Export-Csv -Path C:\temp\MemberAdded.csv -NoTypeInformation
Search-AdminAuditLog -Cmdlets Remove-DistributionGroupMember -ObjectIds name | Export-Csv -Path C:\temp\MemberRemoved.csv -NoTypeInformation
Please note that The ObjectIds parameter filters the results by the object that was modified (the mailbox, public folder, Send connector, transport rule, accepted domain, etc. that the cmdlet operated on). A valid value depends on how the object is represented in the audit log. For example:
- Name
- Canonical distinguished name (for example, contoso.com/Users/Akia Al-Zuhairi)
- Public folder identity (for example, \Engineering\Customer Discussion)
If the group is o365 group and was created within the last 90 days, we could use the commands below to check who created the group
$groupname = "group@contoso.com"
$Group = Get-UnifiedGroup $groupname
$date = Get-Date -Date ($Group.WhenCreatedUTC).DateTime
Search-UnifiedAuditLog -StartDate $date.AddSeconds(-5) -EndDate $date.AddSeconds(5) -Operations 'Add Group' | Select-Object -Property UserIds
For the operation saa/remove members in o365 group, try using this:
Search-AdminAuditLog -Cmdlets Set-UnifiedGroup -ObjectIds xx
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.