Updated 7 months ago

15 Useful PowerShell Scripts to Audit Office 365 Activities

by Kathy Cooper

5 min read

1 Comment

Auditing plays a vital role in monitoring activities performed in the Microsoft 365 organization. Office 365 audit reports will be helpful to identify security events, monitor user activities, track file sharing, investigate forensic events, etc.

Most admins prefer PowerShell over Audit log search due to its speed and customization. If you are one of them, this blog will lend a hand to monitor your Office 365 environment efficiently using PowerShell.

TheSearch-UnifiedAuditLog’ cmdlet is used to retrieve audit logs, but you may face a few challenges while using it.

  • The cmdlet will list a plethora of results. If you are a newbie, it will be hard to get the required result.
  • You can get a maximum of 5000 audit records for each Search-UnifiedAuditLog call. It can be achieved by using the ‘ResultSize’ parameter. If the specific time range has more than 5000 data, you need to call SearchUnifiedAuditLog again and again with ‘SessionId’ until you get all records.
  • Even if you use ‘SessionId’, you can get 50,000 records for a given period. If it exceeds the limit, you can’t retrieve all records. It results in partial data retrieval.
  • The retrieved data is in JSON format. You must convert them to proceed further.

By considering these challenges, we have created the 15 most required scripts for Office 365 admins to monitor their organization. Let’s see them in detail.

Monitor User Activities:

Audit Mailbox and Email Activities:

Track SharePoint File Sharing & Access:

NOTE: You can also utilize these 15 must-have MS Graph PowerShell scripts to gather details on users and groups, as well as essential security settings like MFA status, CA policies, SSPR, and more.

How to Schedule Audit Reports:

With basic Office 365 licensing, you can only retrieve audit logs for the last 90 days. To get audit data for more than 90 days, you will require an advanced auditing license such as E5, A5, G5, etc. Few months back, admins could retrieve audit data for one year for all the license types. We are not sure whether it’s a Microsoft feature or a bug. Still, it works in a few tenants (luckily, mine is one of them!). You can check for your tenant too.

If it’s not work in your tenant, you can schedule the PowerShell scripts to run periodically to keep older data. All our scripts are scheduler-friendly, which helps to store the audit data for more than 90 days.

Keep Office 365 Audit Log for a Longer Period with AdminDroid:

Office 365 audit logs generate a large amount of audit data, which can be difficult to analyze manually and time-consuming process. This is where an auditing tool comes in. AdminDroid offers an Office 365 auditing tool that simplifies the auditing process and provides you with valuable insights into your organization’s activities.

AdminDroid provides 800+ auditing reports on various Office 365 services which include,

  • Azure AD auditing reports: With these reports, admins can monitor user logins, user activities, group activities, license changes, password changes, application activities, etc. and other 120+ reports are available for free.
  • Exchange Online auditing reports: These reports help monitoring Office 365 mailbox activities, access permissions, management operations, and configuration changes.
  • Email monitoring reports: Email reports help to track email activities, email traffic, inactive users, peak periods, slack periods, spam, malware, phishing emails, and more to mitigate email threats in the organization.
  • SharePoint auditing reports: SPO auditing reports provide detailed info on user permissions to site contents, sharing and access, file activities, external sharing & access, and DLP actions to protect the organization’s data.
  • OneDrive auditing reports: These reports help to audit when, how, and who performed the file/ folder activities, OneDrive link creations and removals, and external sharing to prevent users’ confidential information from getting leaked.
  • MS Teams auditing reports: Teams reports offer insights into various aspects of Teams usage, including login activities, private channel and membership changes, configuration changes, and Teams file transfers to help organizations gain a better understanding of their Teams usage.
  • Yammer auditing reports: Provide reports on inactive users, inactive groups, device usage, and daily Yammer activities.
  • Power BI auditing reports: Help to keep an eye on activities on Power BI dashboards, reports, apps, datasets and dataflows to regulate Power BI usage.
  • Stream auditing reports: Enables admins to track various video activities, such as creation, modification, deletion, restoration, and uploads.

Office 365 auditing dashboard

Office 365 users signin report by AdminDroid

Additionally, admins can configure Microsoft 365 alerts to keep track of critical activities happening across Microsoft 365 tenant in real-time via email alerts. With AdminDroid, admins can get email alerts on 1400+ activities. This enables them to quickly respond to potential security threats and take necessary actions to prevent any data breaches.

Gain valuable insights to ensure the security and compliance of your organization using AdminDroid Microsoft 365 reporter. Try it out now and discover the benefits of data visualization and analysis.

I hope this blog is useful to audit your Office 365 organization. If you have any requirements, you can share them in the comment section. Happy auditing!

Share article