Close Menu
    Facebook X (Twitter) Instagram
    Tuesday, May 20
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»Office 365»Using PowerShell – Retrieve the o365 audit logs for SharePoint sites

    Using PowerShell – Retrieve the o365 audit logs for SharePoint sites

    Eswar KonetiBy Eswar KonetiMay 11, 11:10 am3 Mins Read Office 365 7,436 Views
    Share
    Facebook Twitter LinkedIn Reddit


    I was recently working on assignment to get the audit logs for list of SharePoint online sites with specific audit activities such as PageViewed, FileAccessed, FileDownloaded,FileDeleted (This can be expanded further based on the needs) and email the data at regular intervals.

    For list of audited activities in office 365, https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#audited-activities

    For list of page and file activities https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#file-and-page-activities

    If you are looking for audit logs (manual), you can do it using security and compliance center. For more information on how to do it using the security and compliance, refer https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#step-1-run-an-audit-log-search

    If the ask is repeated on daily/weekly/monthly, you would definitely need an automation.

    In this blog post, we will see how to email the audit logs for list of SharePoint online sites for x days on regular basis.

    Pre-requisites:

    1. You need Exchange online management PowerShell module to be installed.
    2. Read access to view the audit logs. (This can be done using exchange online ECP)
    3. List of SharePoint online sites that you want to generate the report for.

    Once you met the pre-req, we are ready to get the required information.

    We will be using a built-in PowerShell cmdlet for getting the audit logs is Search-UnifiedAuditLog

    When I started using this cmdlet and generate report for the last 14 days, my results never go beyond 5K. This is because of the resultsize has default value is 100, maximum is 5,000.

    To get all audit logs beyond the maximum (500), we will need to split the number of days into smaller chunks and then combine them to one file at the end.

    For example, If I am retrieving the data for the last 15 days, I split the duration (15 days) to 5 iterations, each with 3 days and then combine the data into one file. If the usage of the SharePoint sites is higher then you will have to increase the iterations to 1 day for 15 times and combine the data.

    -----------
    Start date 01/24/2021 12:00:00
    End date 01/27/2021 12:00:00
    -----------
    Start date 01/27/2021 12:00:00
    End date 01/30/2021 12:00:00
    -----------
    Start date 01/30/2021 12:00:00
    End date 02/02/2021 12:00:00
    -----------
    Start date 02/02/2021 12:00:00
    End date 02/05/2021 12:00:00
    -----------
    Start date 02/05/2021 12:00:00
    End date 02/08/2021 12:00:00

    Since this is going to be completely automated using the task scheduler (1-time task), I will be using an account that has read-access to view the audit logs and encrypt the password into a file to connect to exchange online management.

    You will need to edit the script, and provide the details such as email address, smtp, SPO sites, onetime o365 password (At your convenient) and other details.

    I have provided all the instructions in the script .

    You can download the script from GitHub

    Audit logs audit report EMS office 365 Powershell search audit log Search-UnifiedAuditLog security and compliance
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Troubleshooting Windows Hello for Business PIN Reset Issues – Something went wrong

    March 06, 9:48 pm

    Migrate Microsoft 365 Updates from SCCM/MECM to Intune for Co-Managed Devices

    February 11, 9:50 pm

    How to detect the source of registry key modifications on windows devices – Intune

    November 21, 8:49 pm

    2 Comments

    1. Alfredo on July 7, 2023 6:45 AM

      Hi Eswar Koneti

      A Question, Is it possible to obtain a report for SharePoint pages viewed with a Powershell script?

      I get a report from MicrosoftPureview using the operation "PageViewed" and the result in the .cvs shows something like this :
      {"AppAccessContext":{"AADSessionId":..................................................................,"CorrelationId":............","UniqueTokenId":".........,"CreationTime":"...............","Id":............","Operation":"PageViewed","OrganizationId":"........","RecordType":4,"UserKey":"..........","UserType":0,"Version":1,"Workload":"SharePoint","ClientIP":".........","ObjectId:"..........."

      Thanks

      Reply
      • Eswar Koneti on July 7, 2023 10:38 AM

        Hi,
        if the data can be viewed using the Microsoft Pureview , mostly we can get the data using the powershell cmdlets as well.
        Have you looked at the powershell cmdlet and see if the data is available what you looking for?

        https://eskonr.com/2021/05/using-powershell-retrieve-the-o365-audit-logs-for-sharepoint-sites/

        Thanks,
        Eswar

        Reply

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.