Forum Discussion
Solved
Roles required for Search-UnifiedAuditLog
We're setting up a scheduled script to export logs through the Powershell cmd Search-UnifiedAuditLog.
However, since all our Administrators use MFA, we need to use a separate user with no MFA, but restricted permissions.
I noticed there's a role "Audit Logs" in the Security & Compliancy section, but those permissions don't seem adequate.
What roles are required to fully use the Search-UnifiedAuditLog? I couldn't find anything in documentation.
Hi,
You can check it with this cmdlet in Exchange Online PowerShell:
PS C:\Users\domin> Get-ManagementRoleEntry "*\Search-UnifiedAuditLog"
Name Role Parameters
---- ---- ----------
Search-UnifiedAuditLog View-Only Audit Logs {Debug, EndDate, ErrorAction, ErrorVariable...}
Search-UnifiedAuditLog Audit Logs {Debug, EndDate, ErrorAction, ErrorVariable...}You can modifiy the permissions via RBAC and only grab the necessary cmdlet's that you will need. Both roles are the default roles in Exchange Online.
Hi, maybe not needed any longer, but below is a section from our documentation about this matter. I used it to build a Power BI reporting for SharePoint activity. Some bits could be outdated, but I think you should find most answers in the first reference link.
-----------------------------------------------------------------------------------------------------------
The service account would need sufficient access in order to be able to run the SearchUnifiedAuditLog command. As per Microsoft's recommendations (reference "Before you begin" tab), a specific group has been created and given the role needed for permissions. The service account was added to this Exchange Online group.
Important: the group needs to be created in Exchange Online, and not in the Security & Compliance Center Permissions because the cmdlet (SearchUnifiedAuditLog) belongs to Exchange Online.
Process used for setting up minimum access to the service account
- Go to the Security and Compliance Center in via the Office 365 Admin Center or (https://protection.office.com)
- Under the tab "Permissions", follow the instructions: "To assign permissions for archiving, auditing, and retention policies, go to the Exchange admin center."
- Clicking the link take you directly to the Role Groups editor for Exchange Online
- Click the plus to create new group.
- Name: [account name]
- Description: Custom group exclusive to the service account [account.name] to give minimum permissions for searching the unified audit log via PowerShell.
- Assigned Roles: View-Only Audit Logs (as per Microsoft recommendation)
- Add user account to group [x@x.com]
- Click save
Hi,
You can check it with this cmdlet in Exchange Online PowerShell:
PS C:\Users\domin> Get-ManagementRoleEntry "*\Search-UnifiedAuditLog"
Name Role Parameters
---- ---- ----------
Search-UnifiedAuditLog View-Only Audit Logs {Debug, EndDate, ErrorAction, ErrorVariable...}
Search-UnifiedAuditLog Audit Logs {Debug, EndDate, ErrorAction, ErrorVariable...}You can modifiy the permissions via RBAC and only grab the necessary cmdlet's that you will need. Both roles are the default roles in Exchange Online.
- Hi Dominik,
Thanks, that clarifies a lot.
I'm still getting an error that the cmdlet isn't existing. Do I need to assign specific O365 licenses for this to work to the user? (which would be a shame)- Hi Ruben,
No license is required but you need the “Exchange admin” Office 365 admin role to get all cmdlets. It could be a cloud only or synchronized identity with the proper permissions.
