MMP Logo

PowerShell scripts for Microsoft 365

Your download is in progress and it will be complete in just a few seconds! If you face any issues, download manually here

Thank you for registering with ManageEngine.

We will send the download link to the registered email ID shortly.

Manage and Secure Microsoft 365 with M365 Manager Plus

  •  
  •  
  •  
  • By clicking 'Download 30-day free trial' you agree to processing of personal data according to the Privacy Policy.
RELATED PRODUCTS

PowerShell scripts for Security and Compliance Logs

The unified audit log in the Microsoft Purview portal displays all events from Microsoft Entra ID, Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Power BI, and other Microsoft 365 services. This provides a centralized view of user and administrator activities such as sign-ins, file access, policy changes, and other critical actions for comprehensive auditing and compliance monitoring.

The Audit Search Query Information report with a table showing details of audit activities like date, IP address, user, and other details

To search for granular details in the contents of the unified audit log using PowerShell, you can run the Search-UnifiedAuditLog cmdlet. The following are the parameters available to be used with the Search-UnifiedAuditLog cmdlet.

Search-UnifiedAuditLog 
       -StartDate <ExDateTime>
      -EndDate <ExDateTime>
      [-Formatted]
      [-FreeText <String>]
      [-HighCompleteness]
      [-IPAddresses <String[]>]
      [-LongerRetentionEnabled <String>]
      [-ObjectIds <String[]>]
      [-Operations <String[]>]
      [-RecordType <AuditRecordType>]
      [-ResultSize <Int32>]
      [-SessionCommand <UnifiedAuditSessionCommand>]
      [-SessionId <String>]
      [-SiteIds <String[]>]
      [-UserIds <String[]>]
      [<CommonParameters>]

Let's look at some examples of using the Search-UnifiedAuditLog cmdlet with its parameters to filter and get the data that you need.

  • The StartDate and EndDate parameters can help you decide the time frame that you wish to generate the audit log details for. They accept the date in the mm/dd/yyyy format. The following script uses these parameters to generate audit data between the dates 01/01/2025 to 01/31/2025.

    Search-UnifiedAuditLog -StartDate 01/01/2025 -EndDate 01/31/2025

    Note: The StartDate and EndDate parameters are mandatory to run the Search -UnifiedAuditLog cmdlet.

  • You can use the ResultSize parameter to decide on the number of results you want to get. They accept any integer value. For example, you can use this command to get the last 1,000 events from the unified audit log.

    Search-UnifiedAuditLog -StartDate 01/01/2025 -EndDate 01/31/2025 -ResultSize 1000

    Note: If you run the Search-UnifiedAuditLog cmdlet without any value to ResultSize, 100 log entries will be returned by default.

  • You can use the Operations parameter to filter for specific events in your Microsoft 365 environment. They accept any string value and will throw an error if the operation does not exist. For this example, the following script finds all the admin audit log entries that have recorded users performing either the New-RoleGroup or the New-ManagementRoleAssignment cmdlet.

    Search-UnifiedAuditLog -StartDate 01/01/2025 -EndDate 01/31/2025 -Operations New-RoleGroup, New-ManagementRoleAssignment

  • The FreeText parameter searches the unified audit log for the text that you provide in the script. They accept any string value. In this example, we can look for entries that involve the site "test site".

    Search-UnifiedAuditLog -StartDate 01/01/2025 -EndDate 01/31/2025 -FreeText "test site"

Let's use all of the parameters that we just saw to create a script that can find all mailbox operations that configured the ProhibitSendReceiveQuota in the timeframe 01/01/2025 to 01/31/2025.

Search-UnifiedAuditLog -StartDate 01/01/2025 -EndDate 01/31/2025 -Operations Set-Mailbox -FreeText "ProhibitSendReceiveQuota" -

How M365 Manager Plus is a better alternative to PowerShell auditing

PowerShell, while powerful, often demands extensive scripting expertise and lacks an intuitive user interface to make use of the data being generated. This is where M365 Manager Plus comes in.

ManageEngine M365 Manager Plus, a comprehensive tool used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments, can be used to audit and monitor your Microsoft 365 data and present the data in a user-friendly way. These are the advantages that M365 Manager Plus offers that sets it apart from PowerShell and other competitors.

  • Geolocation enabled audit reports: With these reports, you can look for changes performed by users along with their location. You can filter these reports by location and make management easy for regional admins.
  • Custom views and advanced filtering options: You can create audit reports with the type of view you prefer (like summarized views) and also choose the necessary columns for each report.
  • Business hours auditing: You can audit actions throughout the day and also get a separate set of reports on the actions performed within and outside the usual business hours. This will help you track the unusual activities performed outside business hours, if any, easily.
  • Virtual tenants: Create virtual tenants with users based on any specific criteria and delegate access to only the selected users, enabling faster and more secure audits.
  • Granular auditing: With the advanced filter options, you can filter the audits generated for a specific virtual tenant and pick out user-based and group-based reports in particular to your specification.
  • Indefinite audit log storage: M365 Manager Plus allows you to store the audit logs for an indefinite period, whereas the native tool has specific restrictions for the storage period as per your subscription type.
  • Individual audit profiles for each activity: You can audit actions for most of the Microsoft 365 services and yet have distinct and comprehensive reports that track each activity accurately.
  • Create your own custom alerts: Using this feature, you can create your own alert profiles that help you get instant email notifications about crucial changes made to your Microsoft 365 accounts and of security events such as risky sign-ins that occur above a customizable threshold.

Click here to learn more about how M365 Manager Plus helps you audit and manage Microsoft 365 accounts easily and efficiently.

RELATED PRODUCTS

Why businesses choose M365 Manager Plus?

What our customers say

  • We can now effectively reconcile which licenses we are using in the organization and assign the cost to the business unit. We were also able to identify a number of license changes that could be put in place that reduced our total Microsoft 365 spending.

    Timothy Ransom
    Group IT/IS manager at The Eclipse Group, United Arab Emirates

  • M365 Manager Plus is valuable to our future business and, most importantly, it allows me to keep improving the level of service we provide.

    IT infrastructure manager
    Sunstar Suisse S.A.

  • Our firm purchased ManageEngine M365 Manager Plus to help us protect our business from email-borne cyberthreats. We are absolutely satisfied with the features and ease of use. It has surpassed our expectations.

    Insurance agent
    Security and risk management Gartner review

A holistic Microsoft 365 administration solution
HighlightsReportingAuditingManagementMonitoringRelated products

One-stop solution for all your
Microsoft 365 administration needs!

Download now
© 2022 Zoho Corporation Pvt. Ltd. All rights reserved.