Using PowerShell – Retrieve the o365 audit logs for SharePoint sites


I was recently working on assignment to get the audit logs for list of SharePoint online sites with specific audit activities such as PageViewed, FileAccessed, FileDownloaded,FileDeleted (This can be expanded further based on the needs) and email the data at regular intervals.

For list of audited activities in office 365, https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#audited-activities

For list of page and file activities https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#file-and-page-activities

If you are looking for audit logs (manual), you can do it using security and compliance center. For more information on how to do it using the security and compliance, refer https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#step-1-run-an-audit-log-search

If the ask is repeated on daily/weekly/monthly, you would definitely need an automation.

In this blog post, we will see how to email the audit logs for list of SharePoint online sites for x days on regular basis.

Pre-requisites:

  1. You need Exchange online management PowerShell module to be installed.
  2. Read access to view the audit logs. (This can be done using exchange online ECP)
  3. List of SharePoint online sites that you want to generate the report for.

Once you met the pre-req, we are ready to get the required information.

We will be using a built-in PowerShell cmdlet for getting the audit logs is Search-UnifiedAuditLog

When I started using this cmdlet and generate report for the last 14 days, my results never go beyond 5K. This is because of the resultsize has default value is 100, maximum is 5,000.

To get all audit logs beyond the maximum (500), we will need to split the number of days into smaller chunks and then combine them to one file at the end.

For example, If I am retrieving the data for the last 15 days, I split the duration (15 days) to 5 iterations, each with 3 days and then combine the data into one file. If the usage of the SharePoint sites is higher then you will have to increase the iterations to 1 day for 15 times and combine the data.

-----------
Start date 01/24/2021 12:00:00
End date 01/27/2021 12:00:00
-----------
Start date 01/27/2021 12:00:00
End date 01/30/2021 12:00:00
-----------
Start date 01/30/2021 12:00:00
End date 02/02/2021 12:00:00
-----------
Start date 02/02/2021 12:00:00
End date 02/05/2021 12:00:00
-----------
Start date 02/05/2021 12:00:00
End date 02/08/2021 12:00:00

Since this is going to be completely automated using the task scheduler (1-time task), I will be using an account that has read-access to view the audit logs and encrypt the password into a file to connect to exchange online management.

You will need to edit the script, and provide the details such as email address, smtp, SPO sites, onetime o365 password (At your convenient) and other details.

I have provided all the instructions in the script .

You can download the script from GitHub

Leave a Reply