Jan 24 2018 01:33 AM
We're setting up a scheduled script to export logs through the Powershell cmd Search-UnifiedAuditLog.
However, since all our Administrators use MFA, we need to use a separate user with no MFA, but restricted permissions.
I noticed there's a role "Audit Logs" in the Security & Compliancy section, but those permissions don't seem adequate.
What roles are required to fully use the Search-UnifiedAuditLog? I couldn't find anything in documentation.
Jan 24 2018 02:24 AM
SolutionHi,
You can check it with this cmdlet in Exchange Online PowerShell:
PS C:\Users\domin> Get-ManagementRoleEntry "*\Search-UnifiedAuditLog"
Name Role Parameters
---- ---- ----------
Search-UnifiedAuditLog View-Only Audit Logs {Debug, EndDate, ErrorAction, ErrorVariable...}
Search-UnifiedAuditLog Audit Logs {Debug, EndDate, ErrorAction, ErrorVariable...}
You can modifiy the permissions via RBAC and only grab the necessary cmdlet's that you will need. Both roles are the default roles in Exchange Online.
Jan 24 2018 02:43 AM
Jan 24 2018 03:54 AM
Jan 24 2018 04:24 AM - edited Jan 24 2018 04:25 AM
Hi, maybe not needed any longer, but below is a section from our documentation about this matter. I used it to build a Power BI reporting for SharePoint activity. Some bits could be outdated, but I think you should find most answers in the first reference link.
-----------------------------------------------------------------------------------------------------------
The service account would need sufficient access in order to be able to run the SearchUnifiedAuditLog command. As per Microsoft's recommendations (reference "Before you begin" tab), a specific group has been created and given the role needed for permissions. The service account was added to this Exchange Online group.
Important: the group needs to be created in Exchange Online, and not in the Security & Compliance Center Permissions because the cmdlet (SearchUnifiedAuditLog) belongs to Exchange Online.
Process used for setting up minimum access to the service account
Jan 24 2018 05:24 AM
Indeed. I created a Security role for Audit Only, and did the same in Exchange Online.
Still didn't get the cmdlet.
After adding the user to the Exchange Administrator role, it works as expected.
My only fear is, did I give too many permissions for simply an interface user that will export Powershell logs?
Jan 24 2018 05:32 AM
Don't assign the service account Exchange admin permissions. This is only for the configuration in Exchange Online. It can take up to 30 minutes if the assigned user can use this cmdlet or view audit logs in the Security & Compliance Center.
For example, if you add the user to the View-Only Audit Logs role entry, then the cmdlets and Security & Compliance Center should be available.
Also not the information from TechNet: If you want to programmatically download data from the Office 365 audit log, we recommend that you use the Office 365 Management Activity API instead of using the Search-UnifiedAuditLog cmdlet in a PowerShell script.
Jan 24 2018 02:24 AM
SolutionHi,
You can check it with this cmdlet in Exchange Online PowerShell:
PS C:\Users\domin> Get-ManagementRoleEntry "*\Search-UnifiedAuditLog"
Name Role Parameters
---- ---- ----------
Search-UnifiedAuditLog View-Only Audit Logs {Debug, EndDate, ErrorAction, ErrorVariable...}
Search-UnifiedAuditLog Audit Logs {Debug, EndDate, ErrorAction, ErrorVariable...}
You can modifiy the permissions via RBAC and only grab the necessary cmdlet's that you will need. Both roles are the default roles in Exchange Online.