Forum Discussion
Pontus T
Apr 27, 2017Iron Contributor
Help with parameter for Search-UnifiedAuditLog
Hi, Disclaimer: I am new to PowerShell, hence why I turn here for your input. Background: I'm creating a Power BI dashboard based on data exported from the O365 Audit Log. For the moment, I'...
- Apr 28, 2017
NarasimaPerumal Chandramohan thanks for pointing me in the right direction. I managed to solve it by using SessionID and SessionCommand. All I needed was a while loop that kept running until the variable taking the audit data returned null, and keep appending the export file in every loop run.
Akhilesh Nirapure
Dec 28, 2017Copper Contributor
The SiteIds parameter doesn't work, i tried passing in WebId, Site but i get error
The Site Id search is not yet supported.
+ CategoryInfo : InvalidArgument: (:) [Search-UnifiedAuditLog], NotSupportedException
+ FullyQualifiedErrorId : [Server=VI1P191MB0240,RequestId=800fa919-711b-47ee-9915-699b8684a804,TimeStamp=28/12/2017 11:30:37] [FailureCategory=Cmdlet-NotSupportedException] 518C5EC4,Microsoft.Exchange.Management.SystemConfigurationTasks.Searc
hUnifiedAuditLog
+ PSComputerName : outlook.office365.com
The Site Id search is not yet supported.
+ CategoryInfo : InvalidArgument: (:) [Search-UnifiedAuditLog], NotSupportedException
+ FullyQualifiedErrorId : [Server=VI1P191MB0240,RequestId=800fa919-711b-47ee-9915-699b8684a804,TimeStamp=28/12/2017 11:30:37] [FailureCategory=Cmdlet-NotSupportedException] 518C5EC4,Microsoft.Exchange.Management.SystemConfigurationTasks.Searc
hUnifiedAuditLog
+ PSComputerName : outlook.office365.com
Chris Jackson
Apr 18, 2018Copper Contributor
I believe the SiteIds parameter does work, you just need to use the Site GUID (which you can obtain from the Audit Log Search in the Security and Compliance Center).
- TonyRedmondApr 18, 2018MVP
SiteIds absolutely does work, but as you indicate, the problem is to find the GUID for the site. If you have an audit record for an action performed in the site, you can find it in the "more information" details for the record. You can then do something like:
PS C:\> Search-UnifiedAuditLog -SiteIds acfe74d8-edfb-436d-924b-e018666605ee -StartDate 1-dec-2017 -EndDate 18-apr-2018 | ft creat iondate, userids, operations