I was recently asked by a colleague who was looking for a way to automate the export of events from Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Power BI, and other Microsoft 365 services with the Audit Log search feature in the following two Microsoft 365 consoles:
Office 365 Security & Compliance
https://protection.office.com/unifiedauditlog
Microsoft 365 compliance
https://compliance.microsoft.com/auditlogsearch
**I believe the Audit search in the Microsoft 365 compliance portal will be replacing Office 365 Security & Compliance.
I haven’t written scripts for a while so I decided to create one the best that I could and have him modify it as needed. My PowerShell script uses the Search-UnifiedAuditLog cmdlet to export the audit logs of a user and the cmdlet’s documentation can be found here: https://docs.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps
Note that in order for the script to work, EXO V2 2.0.3 or later with PowerShell 7 will be required as authenticating with a certificate requires these two components. This example will use EXO V2 2.0.5 with PowerShell 7.1.3.
To allow for the script to export the audit logs of multiple users, create a txt file and add the user names on a line of its own as such:
The following is the script and few points describing what it does:
- Connects to O365 with Connect-ExchangeOnline and authenticates with a certificate to work around MFA through modern authentication
- Gets the first and last day of the month (the assumption is that this script will be ran the last day of the month at 11:59p.m.)
- Gets the month name
- Loops through each username in the txt file
- Uses Search-UnifiedAuditLog to export the audit logs starting at the beginning of the month to the last day of the month for a user into a CSV file
- Uses Send-MailMessage to email the CSV to two users by relaying off of an on-premise Exchange server (https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.1)
#Install-Module -Name ExchangeOnlineManagement
#Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -CertificateThumbPrint "3968B23E6A91C8F7FF4A9587341E9B0FDB50DB0E" -AppID "ac28a30a-6e5f-4c2d-9384-17bbb0809d57" -Organization "contoso.onmicrosoft.com"
# Get the first day and the last day of the current month
$date = Get-Date
$year = $date.Year
$month = $date.Month
$startOfMonth = Get-Date -Year $year -Month $month -Day 1 -Hour 0 -Minute 0 -Second 0 -Millisecond 0
$endOfMonth = ($startOfMonth).AddMonths(1).AddTicks(-1)
#Get the current month name
$monthName = (Get-Culture).DateTimeFormat.GetMonthName((Get-Date).Month)
#Loop through each entry in a text file containing usernames and use Search-UnifiedAuditLog to search the unified audit log, export to CSV and email out to user.
foreach ($alias in Get-Content C:\scripts\Users.txt) {
$useralias=$alias
$domain = '@contoso.com'
$user=$userAlias+$domain
$csvFileName=($userAlias + "-O365-Activities-" + $monthName + "-" + $year + ".csv")
Search-UnifiedAuditLog -StartDate $startOfMonth -EndDate $endOfMonth -UserIds $user | Export-Csv $csvFileName -NoTypeInformation
$mailSubject=$monthName + " " + $year + " " + $user + ' O365 Audit Log'
$mailBody="Sending " + $user + " O365 Audit Log for the month of " + $monthName + " " + $year + "."
Send-MailMessage -From 'O365 Audit Job <o365audit@contoso.com>' -To 'Terence Luk <tluk@contoso.com>', 'John Smith <jsmith@contoso.com>' -Subject $mailSubject -Body $mailBody -Attachments $csvFileName -Priority High -DeliveryNotificationOption OnSuccess, OnFailure -SmtpServer 'smtp.contoso.com'
}
The following is an output of the script using EXO V2 (2.0.5) with PowerShell 7.1.3:
The following is a sample output in the CSV audit log:
1 comment:
Thank you so much Terence, apperience you shared this script
Post a Comment