SOLVED

Roles required for Search-UnifiedAuditLog

Copper Contributor

We're setting up a scheduled script to export logs through the Powershell cmd Search-UnifiedAuditLog.

 

However, since all our Administrators use MFA, we need to use a separate user with no MFA, but restricted permissions.

 

I noticed there's a role "Audit Logs" in the Security & Compliancy section, but those permissions don't seem adequate.

 

What roles are required to fully use the Search-UnifiedAuditLog? I couldn't find anything in documentation.

6 Replies
best response confirmed by Ruben Demey (Copper Contributor)
Solution

Hi,

 

You can check it with this cmdlet in Exchange Online PowerShell:

 

PS C:\Users\domin> Get-ManagementRoleEntry "*\Search-UnifiedAuditLog"

Name                           Role                      Parameters
----                           ----                      ----------
Search-UnifiedAuditLog         View-Only Audit Logs      {Debug, EndDate, ErrorAction, ErrorVariable...}
Search-UnifiedAuditLog         Audit Logs                {Debug, EndDate, ErrorAction, ErrorVariable...}

 

You can modifiy the permissions via RBAC and only grab the necessary cmdlet's that you will need. Both roles are the default roles in Exchange Online.

Hi Dominik,

Thanks, that clarifies a lot.

I'm still getting an error that the cmdlet isn't existing. Do I need to assign specific O365 licenses for this to work to the user? (which would be a shame)
Hi Ruben,

No license is required but you need the “Exchange admin” Office 365 admin role to get all cmdlets. It could be a cloud only or synchronized identity with the proper permissions.

Hi, maybe not needed any longer, but below is a section from our documentation about this matter. I used it to build a Power BI reporting for SharePoint activity. Some bits could be outdated, but I think you should find most answers in the first reference link.

 

-----------------------------------------------------------------------------------------------------------

 

The service account would need sufficient access in order to be able to run the  SearchUnifiedAuditLog command. As per Microsoft's recommendations (reference "Before you begin" tab), a specific group has been created and given the role needed for permissions. The service account was added to this Exchange Online group.

 

Important: the group needs to be created in Exchange Online, and not in the Security & Compliance Center Permissions because the cmdlet (SearchUnifiedAuditLog) belongs to Exchange Online.

 

Process used for setting up minimum access to the service account

 

  1. Go to the Security and Compliance Center in via the Office 365 Admin Center or (https://protection.office.com)
  2. Under the tab "Permissions", follow the instructions: "To assign permissions for archiving, auditing, and retention policies, go to the Exchange admin center."
  3. Clicking the link take you directly to the Role Groups editor for Exchange Online
  4. Click the plus to create new group.
    1. Name: [account name]
    2. Description: Custom group exclusive to the service account [account.name] to give minimum permissions for searching the unified audit log via PowerShell.
    3. Assigned Roles: View-Only Audit Logs (as per Microsoft recommendation)
    4. Add user account to group [x@x.com]
    5. Click save

Indeed. I created a Security role for Audit Only, and did the same in Exchange Online.

 

Still didn't get the cmdlet.

 

After adding the user to the Exchange Administrator role, it works as expected.

 

My only fear is, did I give too many permissions for simply an interface user that will export Powershell logs?

Don't assign the service account Exchange admin permissions. This is only for the configuration in Exchange Online. It can take up to 30 minutes if the assigned user can use this cmdlet or view audit logs in the Security & Compliance Center.

 

For example, if you add the user to the View-Only Audit Logs role entry, then the cmdlets and Security & Compliance Center should be available.

 

Also not the information from TechNet: If you want to programmatically download data from the Office 365 audit log, we recommend that you use the Office 365 Management Activity API instead of using the Search-UnifiedAuditLog cmdlet in a PowerShell script.

1 best response

Accepted Solutions
best response confirmed by Ruben Demey (Copper Contributor)
Solution

Hi,

 

You can check it with this cmdlet in Exchange Online PowerShell:

 

PS C:\Users\domin> Get-ManagementRoleEntry "*\Search-UnifiedAuditLog"

Name                           Role                      Parameters
----                           ----                      ----------
Search-UnifiedAuditLog         View-Only Audit Logs      {Debug, EndDate, ErrorAction, ErrorVariable...}
Search-UnifiedAuditLog         Audit Logs                {Debug, EndDate, ErrorAction, ErrorVariable...}

 

You can modifiy the permissions via RBAC and only grab the necessary cmdlet's that you will need. Both roles are the default roles in Exchange Online.

View solution in original post