Forum Discussion
Would appreciate help understanding what I am doing wrong in this syntax
What I am trying to do is to get only the activities "Add user" and "Disable account" from Audit Logs using the Get-mgAuditLogDirectoryAudit cmdlt, and that happened in last 60 minutes. Below is what I am using:
$currentDateTime = Get-Date
$startDateTime = $currentDateTime.AddMinutes(-60).ToUniversalTime()
Get-MgAuditLogDirectoryAudit -filter "activityDisplayName eq 'Add user' and ActivityDateTime ge $startDateTime"
But it throws error. I am still a noob at PS so I am not able to figure out what I am doing wrong here. Am I using the wrong method to query things that happened in last 60 minutes? Would appreciate any guidance here.
Abhihya The $startDateTime should be formatted with -UFormat '+%Y-%m-%dT%H:%M:%S.000Z'. That would look like this is my case: 2023-09-27T22:33:26.000Z
This should work:
$startDateTime = Get-Date (get-date).AddMinutes(-60).ToUniversalTime() -UFormat '+%Y-%m-%dT%H:%M:%S.000Z' Get-MgAuditLogDirectoryAudit -filter "activityDisplayName eq 'Add user' and ActivityDateTime ge $startDateTime"
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If one of the posts was helpful in other ways, please consider giving it a Like.- Did that answer your question?
Any update, did this work for you ?