PowerShell scripts to search for Exchange audit logs

Your download is in progress and it will be complete in just a few seconds! If you face any issues, download manually here

Manage and Secure Office 365 with
O365 Manager Plus

Please enter business email address
By clicking 'Schedule a personalized demo', you agree to processing of personal data according to the Privacy Policy. You can unsubscribe from our mails at anytime.

PowerShell scripts for Exchange Online Audit Logs

Finding out who logged in to a mailbox or purged an item from a mailbox can be tedious when using the search log console in the Office 365 Security and Compliance Center. Instead of fiddling with multiple filter options, IT admins can run PowerShell scripts to fetch the required audit logs easily. Below are some of the PowerShell scripts utilized when searching Exchange Online audit logs.

Mailbox activities report

Search-MailboxAuditLog -Identity john -LogonTypes Admin,Delegate -StartDate 1/1/2019 -EndDate 12/31/2019 -ResultSize 2000

This script fetches mailbox audit log entries for John's mailbox on the actions performed by Admins and Delegates between 1/1/19 and 12/31/19. A maximum of 2,000 log entries will be returned.

Search-MailboxAuditLog -Mailboxes jdoe,wsmith -LogonTypes Admin,Delegate -StartDate 1/1/2019 -EndDate 12/31/2019 -ResultSize 2000

This script retrieves mailbox audit log entries for John Doe and William Smith's mailboxes on the actions performed by Admins and Delegates between 1/1/19 and 12/31/19. A maximum of 2,000 log entries will be returned.

Hard deleted mailbox items

Search-MailboxAuditLog -Identity kwok -LogonTypes Owner -ShowDetails -StartDate 1/1/2016 -EndDate 3/1/2016 | Where-Object {$_.Operation -eq "HardDelete"}

This script retrieves mailbox audit log entries for Ken Kwok's mailbox on actions performed by the mailbox owner between 1/1/16 and 3/1/16. The results are piped to the Where-Object cmdlet and filtered to only return entries with the HardDelete action.

Exchange admin activities report

Search-UnifiedAuditLog -StartDate "6/1/2019 8:00 AM" -EndDate "6/1/2019 6:00 PM" -RecordType ExchangeAdmin

This script searches the unified audit log for all Exchange admin events from 8am to 6pm on 6/1/19.

Auditing with O365 Manager Plus

O365 Manager Plus' prepackaged audit reports eliminate the need to comb through the unified audit logs in the Security and Compliance Center. In many aspects, this tool is easier to use than the Office 365 Security and Compliance Center. Below are some features showcasing how O365 Manager Plus is the superior tool:

Access audit reports in one click: Instead of going through entire logs or fiddling with the filter options in the Office 365 Security and Compliance Center, create audit reports and view the data in a single click.

Employ advanced filtering: In Office 365, you can only filter logs based on certain attribute values. With O365 Manager Plus, you can filter logs based on any attribute, and also perform multi-valued searches as needed.

Customize views: While Office 365 doesn't support custom views, O365 Manager Plus enables you to create your own custom views to see filtered data, summarized data, or filtered summarized data.

Utilize graphical views: O365 Manager Plus' audit reports come with graphical representations of the audit data for a quick snapshot.

Export data to multiple formats: Using native Office 365 tools, you can only export data to CSV. But with O365 Manager Plus, you can export audit data to PDF, XLS, HTML, and CSV formats.

PowerShell scripts for Office 365

PowerShell scripts for Exchange Online Audit Logs

Auditing with O365 Manager Plus