Auditing an O365 shared mailbox
I have turned on auditing on an Office 365 shared mailbox, but when I do a search at the audit logs I get zero results. I've expanded from the standard auditing and added the parameters "harddelete, softdelete, movetodeleteditems", etc. I put those parameters under all 3 catagories: auditadmin, auditdelegate, and auditowner. We had someone say an email disappeared again today, but I get no results when I searched the logs. I even verified that auditing was turned on by doing a 'get-mailbox' which shows it on. Anything I am doing wrong?PowerShell script to export Audit log search Data based on userID filter
Office 365 Audit Log platform is helping you to monitor and control activities on your tenant. In some case, it's necessary to export some user activity to detect some problematic usage. FROM WEB ADMIN SITE It's possible to do that export from the dedicated Admin site "Security & Compliance": https://protection.office.com/?rfr=AdminCenter#/unifiedauditlog You can select certain filter options to focus on your question based on: Activity type Start & End DateTime UsersID (email or O365 login) File, folder, url or site this filterset will be used: to execute the search and export the resultset (in CSV format) to create an alert You can find a lot of details related to that Audit Log usage: https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-compliance#search-the-audit-log But some important restrictions need to be accepted before work with that solution: Number of lines (or Events) is limited to 50’000 max Number of characters exported to the AuditData details is restricted to the first 3’060 chars FROM POWERSHELL Based on many other articles and blogposts, I wrote a dedicated PowerShell script like a toolkit you can use to connect directly Office 365 Audit Log system and send the filters you need to get the result set in memory. Based on that results, the script will directly extract the AuditData field and convert it into a CSV file with many fields (extracted form the JSON Format) The PowerShell command used is: Search-UnifiedAuditLog - https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-audit/search-unifiedauditlog?view=exchange-ps Function Split-O365AuditLogs-FromO365 () { #Get the content to process Write-host " -----------------------------------------" -ForegroundColor Green [string]$username = "YourAdminAccount@yourtenant.onmicrosoft.com" [string]$PwdTXTPath = "C:\SECUREDPWD\ExportedPWD-$($username).txt" $secureStringPwd = ConvertTo-SecureString -string (Get-Content $PwdTXTPath) $UserCredential = New-Object System.Management.Automation.PSCredential $username, $secureStringPwd #This will prompt the user for credential # $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-LiveID/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session [DateTime]$startDate = "01/01/2019 00:00" #Format: mm/dd/yyyy hh:MM [DateTime]$endDate = "01/11/2019 23:59" #Format: mm/dd/yyyy hh:MM $SpecifiedUserIDs = "Youremailtoscan@yourtenant.com", "Youremailtoscan2@yourtenant.com" #syntax: "<value1>","<value2>",..."<valueX>". $scriptStart=(get-date) $sessionName = (get-date -Format 'u')+'o365auditlog' # Reset user audit accumulator $aggregateResults = @() $i = 0 # Loop counter Do { Write-host " >> Audit Request Details: StartDate=", $startDate, "- EndDate=", $endDate, "SpecifiedUserIDs=", $SpecifiedUserIDs $currentResults = Search-UnifiedAuditLog -StartDate $startDate -EndDate $enddate -SessionId $sessionName -SessionCommand ReturnLargeSet -ResultSize 1000 -UserIds $SpecifiedUserIDs if ($currentResults.Count -gt 0) { Write-Host (" Finished {3} search #{1}, {2} records: {0} min" -f [math]::Round((New-TimeSpan -Start $scriptStart).TotalMinutes,4), $i, $currentResults.Count, $user.UserPrincipalName ) # Accumulate the data $aggregateResults += $currentResults # No need to do another query if the # recs returned <1k - should save around 5-10 sec per user if ($currentResults.Count -lt 1000) { $currentResults = @() } else { $i++ } } } Until ($currentResults.Count -eq 0) # --- End of Session Search Loop --- # [int]$IntemIndex = 1 $data=@() foreach ($line in $aggregateResults) { Write-host " ItemIndex:", $IntemIndex, "- Creation Date:", $line.CreationDate, "- UserIds:", $line.UserIds, "- Operations:", $line.Operations Write-host " > AuditData:", $line.AuditData $datum = New-Object -TypeName PSObject $Converteddata = convertfrom-json $line.AuditData $datum | Add-Member -MemberType NoteProperty -Name Id -Value $Converteddata.Id $datum | Add-Member -MemberType NoteProperty -Name CreationTimeUTC -Value $Converteddata.CreationTime $datum | Add-Member -MemberType NoteProperty -Name CreationTime -Value $line.CreationDate $datum | Add-Member -MemberType NoteProperty -Name Operation -Value $Converteddata.Operation $datum | Add-Member -MemberType NoteProperty -Name OrganizationId -Value $Converteddata.OrganizationId $datum | Add-Member -MemberType NoteProperty -Name RecordType -Value $Converteddata.RecordType $datum | Add-Member -MemberType NoteProperty -Name ResultStatus -Value $Converteddata.ResultStatus $datum | Add-Member -MemberType NoteProperty -Name UserKey -Value $Converteddata.UserKey $datum | Add-Member -MemberType NoteProperty -Name UserType -Value $Converteddata.UserType $datum | Add-Member -MemberType NoteProperty -Name Version -Value $Converteddata.Version $datum | Add-Member -MemberType NoteProperty -Name Workload -Value $Converteddata.Workload $datum | Add-Member -MemberType NoteProperty -Name UserId -Value $Converteddata.UserId $datum | Add-Member -MemberType NoteProperty -Name ClientIPAddress -Value $Converteddata.ClientIPAddress $datum | Add-Member -MemberType NoteProperty -Name ClientInfoString -Value $Converteddata.ClientInfoString $datum | Add-Member -MemberType NoteProperty -Name ClientProcessName -Value $Converteddata.ClientProcessName $datum | Add-Member -MemberType NoteProperty -Name ClientVersion -Value $Converteddata.ClientVersion $datum | Add-Member -MemberType NoteProperty -Name ExternalAccess -Value $Converteddata.ExternalAccess $datum | Add-Member -MemberType NoteProperty -Name InternalLogonType -Value $Converteddata.InternalLogonType $datum | Add-Member -MemberType NoteProperty -Name LogonType -Value $Converteddata.LogonType $datum | Add-Member -MemberType NoteProperty -Name LogonUserSid -Value $Converteddata.LogonUserSid $datum | Add-Member -MemberType NoteProperty -Name MailboxGuid -Value $Converteddata.MailboxGuid $datum | Add-Member -MemberType NoteProperty -Name MailboxOwnerSid -Value $Converteddata.MailboxOwnerSid $datum | Add-Member -MemberType NoteProperty -Name MailboxOwnerUPN -Value $Converteddata.MailboxOwnerUPN $datum | Add-Member -MemberType NoteProperty -Name OrganizationName -Value $Converteddata.OrganizationName $datum | Add-Member -MemberType NoteProperty -Name OriginatingServer -Value $Converteddata.OriginatingServer $datum | Add-Member -MemberType NoteProperty -Name SessionId -Value $Converteddata.SessionId $data += $datum $IntemIndex += 1 } $datestring = (get-date).ToString("yyyyMMdd-hhmm") $fileName = ("C:\AuditLogs\CSVExport\" + $datestring + ".csv") Write-Host (" >>> writing to file {0}" -f $fileName) $data | Export-csv $fileName -NoTypeInformation Remove-PSSession $Session } Split-O365AuditLogs-FromO365 You can use that script as you want and adapt it with your own needs Attention: AuditData limitation stay into the PowerShell option, but it's a MS Support Bug known as detailed into that following posts, I hope that will be fixed soon: https://techcommunity.microsoft.com/t5/Office-365/Incomplete-data-from-Search-UnifiedAuditLog-cmdlet-for-AzureAD/td-p/240805 https://office365itpros.com/2018/10/22/longer-retention-office365-auditdata/ Additional links: https://angryanalyticsblog.azurewebsites.net/index.php/2018/02/16/power-bi-audit-log-analytics-solution/ https://docs.microsoft.com/en-us/office365/securitycompliance/detailed-properties-in-the-office-365-audit-log https://docs.microsoft.com/en-us/office365/securitycompliance/detailed-properties-in-the-office-365-audit-log https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log https://www.youtube.com/watch?v=KUyE59E3EFY https://blogs.msdn.microsoft.com/tehnoonr/2018/01/26/retrieving-office-365-audit-data-using-powershell/ https://office365itpros.com/2018/10/22/longer-retention-office365-auditdata/ https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-audit/search-unifiedauditlog?view=exchange-ps https://www.sherweb.com/blog/activity-reports-audit-logs-office-365/ http://alexbrassington.com/2016/03/03/splitting-office-365-audit-logs/ https://www.powershellgallery.com/packages/O365_Unified_Auditlog_parser/1.1/Content/O365_Unified_Auditlog_parser.ps1 Fabrice Romelard French version: http://blogs.developpeur.org/fabrice69/archive/2019/01/28/office-365-script-powershell-pour-extraire-les-audit-log-bas-s-sur-des-filtres-fournis.aspxGlobal Reader role to be able to view audit logs - error don't have the right permissions
I asked my Global Administrator to add my administrator account to be a Global Reader. I would like to read the audit logs. I have logged out of the webbrowser and it has been over an hour since I was granted this access. I have had my account for over a year. I am going to Microsoft 365 Compliance, Audit, search. Before I was given Global Reader, I could get to this area but the search button was grayed out. Now I can enter a search query. https://compliance.microsoft.com/auditlogsearch?viewid=Test%20Tab I fill in the details and I get an error after I click on the search button. Error Looks like you don't have the right permissions to view this page or this feature isn't part of your organization's Microsoft 365 subscription. To get access, contact the person who assigns permissions or makes purchasing decisions. If you're a new user or were recently assigned permissions, try again in 15 minutes.
Audit log search no longer works for shared mailboxes
It was working find then stopped last month some time - now gives no results. After backwards and forwards with support see the response we received from them below. "As earlier advised the changes are made recently by the programming team after which non license mailbox user will be able to see O365 Admin logs from power shell and EAC and will not be able to see Unified audit logs from SCC and power shell." This does not seem plausible to me but I would like to get some feedback from the rest of you.Use the Audit Log to Monitor Membership Changes in Selected Microsoft 365 Groups
A reader asks how to monitor membership changes for some specific high-profile groups. You can buy a commercial product to do the job or use PowerShell to exploit the information held in the Office 365 audit log. A combination of a custom attribute assigned to the sensitive groups and an audit log search does the job. https://office365itpros.com/2022/11/09/monitor-group-membership-changes/
Microsoft 365: Now Keeps Audit Log for 365 Days for All the Subscription Types
Most admins want to keep an audit log for more than 90 days without E5/A5/G5 license or any additional add-ons. With Microsoft's recent update, you can retrieve the audit log for longer than 90 days and up to one year for all subscriptions. https://o365reports.com/2021/07/07/microsoft-365-retrieve-audit-log-for-1-year-for-all-subscriptions/ This feature will help to retain audit logs to support legal obligations, internal and compliance investigations.
Audit Logs and OneNote pages
Hi All: I'm trying to run some audit log data on OneNote usage to get a sense of what's being used in the org. However, it appears that audit logs only track down to the section, which is listed as file. Anyone have an understanding of this and how to I might achieve what I am after? Best, Grant
O365 last logon
I am trying to extract 0365 last-logon. is there is any other way other than mailboxstatistics cmdlet in powershell. This command doesnt help me. Things i have tried. 1. Search-UnifiedAuditLog -StartDate 05/14/2018 -EndDate 08/12/2018 -RecordType AzureActiveDirectoryStsLogon,SharePointFileOperation,Yammer,exchangeitem, exchangeitemgroup -userids $email -resultsize 5000 | Sort-Object creationdate -Descending | ft operations, userids, creationdate -autosize -Wrap 2. Search-UnifiedAuditLog -UserIDs $SearchMailbox -StartDate $StartTime -EndDate $EndTime -Operations "UserLoggedIn","User signed in to mailbox" 3. download the activity report from portal. Is there is any other better way to get the last actual logon. thats includes any office365 products. Is there is any other way trigger the activity report via powershell/ or get data activity data by powershell for a user. any help will be appreciated. thanks
UserLoggedIn events not found in Azure Audit log for about a week
When I search for UserLoggedIn events in my Office 365 Tenant, I'm unable to find any audit records for the last 7 days. Whereas all our users have been logging in and out. I've tested one of our test tenants as well and found it missing as well. Anyone facing this?
