Need help with Unattended Search-UnifiedAuditLog

Occasional Visitor

We have a requirement to pull Audit Logs on daily basis through a job unattended.

 

We have installed ExO and configured a Service Principal and given the API permission(Exchange.ManageAsApp).

We added the Service Prinipal to "Security Administrators" role in Azure.

But still we are not able to execute "Search-UnifiedAuditLog" from powershell when we interactively login to Powershell using cerfiticate based authentication. The module ExchangeOnlineManagement loads but it does not recognized the Search-UnifiedAuditLog. 

 

2 Replies
The cmdlet works fine with CBA, make sure the SP is a member of Organization Management
or Records Management though. Or use the management activity API for that: https://docs.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-manage...
Security Administrator role is not enough to access the Unified Audit Logs.

"You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. Global administrators in Office 365 and Microsoft 365 are automatically added as members of the Organization Management role group in Exchange Online. To give a user the ability to search the audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only Audit Logs or Audit Logs role, and then add the user as a member of the new role group. For more information, see Manage role groups in Exchange Online."

https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compl...