Export Office 365 User Activity Report to CSV using PowerShell 

Monitoring office 365 users’ activity helps to identify unauthorized and malicious activities performed in Office 365 tenants. As an admin, often you may encounter a situation to track particular user activity or admin activity. In such a case, activity reports under Microsoft 365 admin center can’t give enough details.  

 

How to Create an Activity Report for a User? 

To track user activity, you can either use an audit log search or PowerShell.   

Search the audit log in the compliance center: Unified audit log helps to view users’ activity across Office 365. Also, you can download the audit log search results to a CSV file. However, you can’t view the required data like operation status (Whether the action is succeeded or failed), workload at a glance. Those attributes are formatted as the JSON object, which needs to be parsed for further information.  

Track user activity with PowerShell: With ever-changing Microsoft 365 admin portals and UI, most admins prefer to work with PowerShell. Search-UnifiedAuditLog cmdlet helps to search the unified audit log. This log contains events from multiple office 365 workloads such as Exchange Online, SharePoint Online, Azure Active Directory, OneDrive for Business, Microsoft Teams, and other Microsoft 365 services. 

 

Audit Office 365 User Activity Report with PowerShell: 

Getting Audit logs using the Search-UnifiedAuditLog is not an easy task. If you don’t retrieve the data properly, you will end up with data loss.  

Considering all the cases, we have created a PowerShell script that will export Office 365 user’s activity report to a CSV file. 

 

Download Script: UserActivityReport.ps1 

 

Script Highlights: 

  • The script uses modern authentication to connect to Exchange Online.  
  • The script can be executed with MFA enabled account too.  
  • Exports report results to CSV file 
  • Allows you to generate user activity report for a custom period 
  • Automatically installs the EXO V2 module (if not installed already) upon your confirmation. 
  • The script is scheduler friendly. I.e., Credential can be passed as a parameter instead of saving inside the script. 

 

Office 365 User Activity Report – Sample Output: 

The exported user activity report contains the following attributes: Activity Time, User Name, Operation, Result, Workload and Detailed Audit Data. 

Office 365 User activity report

Note: Since some workloads doesn’t have Result status column, it shown as empty.

 

Microsoft 365 User Activity Report – Script Execution Steps: 

Step 1: Download the script.   

Step 2: Start Windows PowerShell as an Administrator.   

Step 3: To run this script, you can choose any one of the methods below.    

Method 1Execute the script with a non-MFA account

Method 2: Execute the script using an MFA account 

To know more about how to connect exchange online PowerShell with MFA, refer to our blog Connect Exchange Online PowerShell with MFA. 

Method 3: Execute the script by explicitly mentioning credentials (Scheduler friendly).  

 

Unlock Full potential of “O365 User Activity PowerShell Script”: 

  • Export Office 365 user’s activity history for the past 90 days 
  • Audit Office 365 users’ activity within a particular interval 
  • Get a monthly user activity report 
  • Schedule user activity report 

Export Office 365 user’s activity history for the past 90 days: 

Since Search-UnifiedAuditLog has past 90 days data, we can get a maximum of the last 90 days user’s activity using our script. To export Office 365 user activity for the past 90 days, run the script as mentioned below. 

Note: If a user assigned with Office 365 E5 or Microsoft 365 E5 or Microsoft 365 Compliance or E5 Discovery and Audit add-on license, then you can generate audit log for more than 90 days. In that case, you can use –StartDate and –EndDate params to specify time range. 

 

Audit Office 365 user’s activity within a particular interval 

You can generate an activity report for a custom period by mentioning –StartDate and EndDate params. 

Using these params, you can generate an Office 365 user’s audit report for the last 7 days, 30 days, 90 days, or any other required period. 

 

Monitor admin activity with PowerShell: 

You can audit admin activity by passing admin identity in UserID param. 

The exported report contains Admin’s activity for the past 90 days.  

 

Track external user activity with PowerShell:

You can audit external user activities by passing external user identity in -UserID param.

The exported external user activity report contains Emma’s last 90 days activities.

 

Schedule user activity report: 

Since this Search-UnifiedAuditLog can take user’s audit data for the last 90 days, you may require old audit data for analysis. In that case, scheduling will help you to keep the audit log for more than 90 days. 

To run a PowerShell script task from the scheduler, you can use below the format. 

 

Get a monthly user activity report: 

To get a monthly report for user activity, you can execute the script as follow.  

The above method would be useful in scheduling. 

 

I hope this blog is useful to audit office 365 user activities in your organization. You can also refer our dedicated script on Office 365 user email activity and Office 365 user logon history report for further analysis.