Skype for Business

Extract Audit Logs for Office 365 Services using PowerShell

Posted on Updated on

It was always confusing while using Search-UnifiedAuditLog, because you need first to load Exchange libraries.
In this script we will retrieve the Audit logs from Office 365 for the below services

  1. Skype for Business
  2. Exchange
  3. Yammer
  4. OneDrive for Business
  5. SharePoint Online

Please be aware that the command “Search-UnifiedAuditLog” will never loads until you load the Exchange New-PSSession -ConfigurationName Microsoft.Exchange, this means you have to use the Tenant admin to execute the below code.

The extraction will be very useful to get audit logs for your Office 365 Services, and it will be extracted to CSV files


$Username = "tenant.admin@henkel.com"
$TenantODFBUrl = "https://tenant-my.sharepoint.com"
$TenantAdminUrl = "https://tenant-admin.sharepoint.com"
$Pass = "PaSSword!"
[String]$Output = ".\report_$((Get-Date -uformat %Y%m%d).ToString()).csv"
$usersList = Get-Content "C:\temp\TargetUsers.txt"
$cred = [System.Net.CredentialCache]::DefaultCredentials
[System.Net.WebRequest]::DefaultWebProxy.Credentials = $cred
$creds = New-Object System.Management.Automation.PSCredential($Username,(ConvertTo-SecureString $Pass -AsPlainText -Force));
$session = New-PSSession -ConfigurationName Microsoft.Exchange -Authentication Basic -ConnectionUri https://ps.outlook.com/powershell -AllowRedirection:$true -Credential $creds
Import-PSSession $session -AllowClobber
$startDate = $(Get-Date).AddDays(-60).Date
$endDate = $(Get-Date).AddDays(-1).Date
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -ResultSize 5000 |Sort-Object CreationDate -Descending | Export-Csv .\SearchResult.csv -NoTypeInformation
#Skype for Business
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -RecordType "SkypeForBusinessCmdlets","SkypeForBusinessPSTNUsage","SkypeForBusinessUsersBlocked" |Sort-Object CreationDate -Descending | Export-Csv .\SkypeSearchResult.csv -NoTypeInformation
#Exchange
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -RecordType "ExchangeAdmin","ExchangeItemGroup","ExchangeItem","ExchangeAggregatedOperation" |Sort-Object CreationDate -Descending | Export-Csv .\ExchangeSearchResult.csv -NoTypeInformation
#Yammer
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -UserIds $usersList -RecordType "yammer" |Sort-Object CreationDate -Descending | Export-Csv .\YammerSearchResult.csv -NoTypeInformation
#OneDriveForBusiness
$OneDriveworkload = '*"Workload"' + ":" + '"OneDrive"*'
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -UserIds $usersList | Where-Object {$_.AuditData -like $OneDriveworkload } |Sort-Object CreationDate -Descending | Export-Csv .\OneDriveSearchResult.csv -NoTypeInformation
#SharePoint Online
$workload = '*"Workload"' + ":" + '"SharePoint"*'
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -UserIds $usersList -RecordType "SharePointFileOperation","SharePoint","SharePointSharingOperation" | Where-Object {$_.AuditData -like $workload} |Sort-Object CreationDate -Descending | Export-Csv .\SPSearchResult.csv -NoTypeInformation

Please leave me a comment if you faced any issues with it
Regards !

Advertisements