The script outputs an "ID" in column B which is the App ID of the application performing the impersonation (to my understanding). However, I seem to be getting IDs that don't correspond to any Apps. The events listed correspond to what appear to be Microsoft Teams Services impersonation events when users create groups.
MicrosoftThe audit query does not include ExchangeAdmin events so it should not capture group creation. You should be able to use the Graph module to see the application if you can't in Entra center.
Import-Module Microsoft.Graph.Applications
Get-MgApplication -ApplicationId <AppId>
In Column M of the spreadsheet, "Workload", all of my entries are Exchange. Is it possible the script is capturing ExchangeAdmin events? The app+cert I'm using to connect to graph has access to both AuditLogsQuery.Read.All and Exchange.ManageAsApp. Should I be running this without the Exchange.ManageAsApp API?
MicrosoftNo, workload is Exchange, SharePoint, Teams
Record types used:
recordTypeFilters = @("exchangeItem","exchangeAggregatedOperation","exchangeItemAggregated","exchangeItemGroup")
The application only uses Graph so the Exchange.ManageAsApp is not used. If they are Teams apps, do you mind sharing a screenshot of the appids?
