This article explains how to generate an audit report for users who were added to or removed from groups within a specific timeframe.

• System Log
• Reports

1. Navigate to the Okta Admin Console. 
2. Go to Reports > System Logs.
3. Set the time frame (and timezone) required to search.:
4. In the search field, use one of the following System Log queries:
   • eventType eq "group.user_membership.add" - For users who were added to a group.
   • eventType eq "group.user_membership.remove" - For users who were removed from a group.
5. To generate a report containing both group membership additions and removals, chain the 2 queries with an or operator between them:

6. To generate a report containing group membership additions and removals for a specific group, determine the group's ID:
   1. While in the System Log, click the name of the group, which will copy the group ID to the search field in the format target.id eq "<GROUP_ID>".
   2. Navigate to Directory > Groups > Search and select the group from the list. Once on the group's Okta page, the groupId will be visible in the browser's URL field.

3. The final search query should be like the following:

6. Export the logs by clicking the Download CSV button, and manipulate the file to suit the organization's operational needs.

Related References

• Event Types
• Search System Logs
• System Log filters and search