PowerShell scripts for Exchange Online Audit Logs
Finding out who logged in to a mailbox or purged an item from a mailbox can be tedious when using the search log console in the Microsoft 365 Security and Compliance Center. Instead of fiddling with multiple filter options, IT admins can run PowerShell scripts to fetch the required audit logs easily. Below are some of the PowerShell scripts utilized when searching Exchange Online audit logs.
Mailbox activities report
Search-MailboxAuditLog -Identity john -LogonTypes Admin,Delegate -StartDate 1/1/2019 -EndDate 12/31/2019 -ResultSize 2000
This script fetches mailbox audit log entries for John's mailbox on the actions performed by Admins and Delegates between 1/1/19 and 12/31/19. A maximum of 2,000 log entries will be returned.
Search-MailboxAuditLog -Mailboxes jdoe,wsmith -LogonTypes Admin,Delegate -StartDate 1/1/2019 -EndDate 12/31/2019 -ResultSize 2000
This script retrieves mailbox audit log entries for John Doe and William Smith's mailboxes on the actions performed by Admins and Delegates between 1/1/19 and 12/31/19. A maximum of 2,000 log entries will be returned.
Hard deleted mailbox items
Search-MailboxAuditLog -Identity kwok -LogonTypes Owner -ShowDetails -StartDate 1/1/2016 -EndDate 3/1/2016 | Where-Object {$_.Operation -eq "HardDelete"}
This script retrieves mailbox audit log entries for Ken Kwok's mailbox on actions performed by the mailbox owner between 1/1/16 and 3/1/16. The results are piped to the Where-Object cmdlet and filtered to only return entries with the HardDelete action.
Exchange admin activities report
Search-UnifiedAuditLog -StartDate "6/1/2019 8:00 AM" -EndDate "6/1/2019 6:00 PM" -RecordType ExchangeAdmin
This script searches the unified audit log for all Exchange admin events from 8am to 6pm on 6/1/19.
Auditing with M365 Manager Plus
M365 Manager Plus' prepackaged audit reports eliminate the need to comb through the unified audit logs in the Security and Compliance Center. In many aspects, this tool is easier to use than the Microsoft 365 Security and Compliance Center. Below are some features showcasing how M365 Manager Plus is the superior tool:
Access audit reports in one click: Instead of going through entire logs or fiddling with the filter options in the Microsoft 365 Security and Compliance Center, create audit reports and view the data in a single click.
Employ advanced filtering: In Microsoft 365, you can only filter logs based on certain attribute values. With M365 Manager Plus, you can filter logs based on any attribute, and also perform multi-valued searches as needed.
Customize views: While Microsoft 365 doesn't support custom views, M365 Manager Plus enables you to create your own custom views to see filtered data, summarized data, or filtered summarized data.
Utilize graphical views: M365 Manager Plus' audit reports come with graphical representations of the audit data for a quick snapshot.
Export data to multiple formats: Using native Microsoft 365 tools, you can only export data to CSV. But with M365 Manager Plus, you can export audit data to PDF, XLSX, HTML, and CSV formats.
