Forum Discussion
Roles required for Search-UnifiedAuditLog
Hi,
You can check it with this cmdlet in Exchange Online PowerShell:
PS C:\Users\domin> Get-ManagementRoleEntry "*\Search-UnifiedAuditLog"
Name Role Parameters
---- ---- ----------
Search-UnifiedAuditLog View-Only Audit Logs {Debug, EndDate, ErrorAction, ErrorVariable...}
Search-UnifiedAuditLog Audit Logs {Debug, EndDate, ErrorAction, ErrorVariable...}You can modifiy the permissions via RBAC and only grab the necessary cmdlet's that you will need. Both roles are the default roles in Exchange Online.
Thanks, that clarifies a lot.
I'm still getting an error that the cmdlet isn't existing. Do I need to assign specific O365 licenses for this to work to the user? (which would be a shame)
No license is required but you need the “Exchange admin” Office 365 admin role to get all cmdlets. It could be a cloud only or synchronized identity with the proper permissions.
Indeed. I created a Security role for Audit Only, and did the same in Exchange Online.
Still didn't get the cmdlet.
After adding the user to the Exchange Administrator role, it works as expected.
My only fear is, did I give too many permissions for simply an interface user that will export Powershell logs?
Don't assign the service account Exchange admin permissions. This is only for the configuration in Exchange Online. It can take up to 30 minutes if the assigned user can use this cmdlet or view audit logs in the Security & Compliance Center.
For example, if you add the user to the View-Only Audit Logs role entry, then the cmdlets and Security & Compliance Center should be available.
Also not the information from TechNet: If you want to programmatically download data from the Office 365 audit log, we recommend that you use the Office 365 Management Activity API instead of using the Search-UnifiedAuditLog cmdlet in a PowerShell script.