Forum Discussion

Ruben Demey's avatar
Ruben Demey
Copper Contributor
Jan 24, 2018
Solved

Roles required for Search-UnifiedAuditLog

We're setting up a scheduled script to export logs through the Powershell cmd Search-UnifiedAuditLog.   However, since all our Administrators use MFA, we need to use a separate user with no MFA, ...
  • Dominik Hoefling's avatar
    Dominik Hoefling
    Jan 24, 2018

    Hi,

     

    You can check it with this cmdlet in Exchange Online PowerShell:

     

    PS C:\Users\domin> Get-ManagementRoleEntry "*\Search-UnifiedAuditLog"

    Name                           Role                      Parameters
    ----                           ----                      ----------
    Search-UnifiedAuditLog         View-Only Audit Logs      {Debug, EndDate, ErrorAction, ErrorVariable...}
    Search-UnifiedAuditLog         Audit Logs                {Debug, EndDate, ErrorAction, ErrorVariable...}

     

    You can modifiy the permissions via RBAC and only grab the necessary cmdlet's that you will need. Both roles are the default roles in Exchange Online.

Pontus T's avatar
Pontus T
Iron Contributor
Jan 24, 2018

Hi, maybe not needed any longer, but below is a section from our documentation about this matter. I used it to build a Power BI reporting for SharePoint activity. Some bits could be outdated, but I think you should find most answers in the first reference link.

 

-----------------------------------------------------------------------------------------------------------

 

The service account would need sufficient access in order to be able to run the  SearchUnifiedAuditLog command. As per Microsoft's recommendations (https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US&fromAR=1#ID0EABAAA=Before_you_begin "Before you begin" tab), a specific group has been created and given the role needed for permissions. The service account was added to this Exchange Online group.

 

Important: the group needs to be created in Exchange Online, and not in the Security & Compliance Center Permissions because the cmdlet (SearchUnifiedAuditLog) belongs to Exchange Online.

 

Process used for setting up minimum access to the service account

 

  1. Go to the Security and Compliance Center in via the Office 365 Admin Center or (https://protection.office.com)
  2. Under the tab "Permissions", follow the instructions: "To assign permissions for archiving, auditing, and retention policies, go to the Exchange admin center."
  3. Clicking the link take you directly to the Role Groups editor for Exchange Online
  4. Click the plus to create new group.
    1. Name: [account name]
    2. Description: Custom group exclusive to the service account [account.name] to give minimum permissions for searching the unified audit log via PowerShell.
    3. Assigned Roles: View-Only Audit Logs (as per https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US&fromAR=1#ID0EABAAA=Before_you_begin)
    4. Add user account to group [x@x.com]
    5. Click save