15 Useful PowerShell Scripts to Audit Office 365 Activities
Auditing plays a vital role in monitoring activities performed in the Microsoft 365 organization. Office 365 audit reports will be helpful to identify security events, monitor user activities, track file sharing, investigate forensic events, etc.
Most admins prefer PowerShell over Audit log search due to its speed and customization. If you are one of them, this blog will lend a hand to monitor your Office 365 environment efficiently using PowerShell.
The ‘Search-UnifiedAuditLog’ cmdlet is used to retrieve audit logs, but you may face a few challenges while using it.
- The cmdlet will list a plethora of results. If you are a newbie, it will be hard to get the required result.
- You can get a maximum of 5000 audit records for each Search-UnifiedAuditLog call. It can be achieved by using the ‘ResultSize’ parameter. If the specific time range has more than 5000 data, you need to call Search–UnifiedAuditLog again and again with ‘SessionId’ until you get all records.
- Even if you use ‘SessionId’, you can get 50,000 records for a given period. If it exceeds the limit, you can’t retrieve all records. It results in partial data retrieval.
- The retrieved data is in JSON format. You must convert them to proceed further.
By considering these challenges, we have created the 15 most required scripts for Office 365 admins to monitor their organization. Let’s see them in detail.
Monitor User Activities:
- Office 365 users logon history report – Helps to monitor Office 365 users’ login activities and identify unusual login patterns.
- User activity report – Lists all the activities performed by a specific user or admin to track any suspicious activity.
- Audit External user activities report – Helps to inspect external users’ activities to prevent security threats & data leakage.
- Teams meeting attendance report – Exports all the team meetings and the participant’s lists to a CSV file
Audit Mailbox and Email Activities:
- Non-owner mailbox access report – Helps to track who accessed another users’ mailbox and when.
- Mail traffic report – Shows the number of emails sent and received by users for a day.
- Audit email deletion report – Exports who deleted which mail and when. It helps to track accidental and intentional email deletions.
- Audit SendAs emails – Helps to track emails sent by delegates using SendAs privilege.
- Audit who sent emails from a shared mailbox – Identifies who sent emails from shared mailboxes using SendAs and SendOnBehalf permission.
- Audit mailbox permission changes – Detects who modified mailbox permission changes and when.
Track SharePoint File Sharing & Access:
- External user file access report – Shows a list of files accessed by external users and when they accessed them.
- Audit external sharing report – Helps to get a list of files and folders shared with external users to monitor sensitive information leakage.
- Anonymous link sharing & access report – Audits anonymous link creation, modification, removal, and access in SharePoint Online and OneDrive.
- Audit file deletion report – Exports who deleted what file and when from SharePoint Online and OneDrive
- Audit SPO group membership changes – Monitors addition and removal of members in SharePoint Online groups.
How to Schedule Audit Reports to Keep Older Data:
With basic Office 365 licensing, you can only retrieve audit logs for the last 90 days. To get audit data for more than 90 days, you will require an advanced auditing license such as E5, A5, G5, etc. Few months back, admins could retrieve audit data for one year for all the license types. We are not sure whether it’s a Microsoft feature or a bug. Still, it works in a few tenants (luckily, mine is one of them!). You can check for your tenant too.
If it’s not work in your tenant, you can schedule the PowerShell scripts to run periodically to keep older data. All our scripts are scheduler-friendly, which helps to store the audit data for more than 90 days.
I hope this blog is useful to audit your Office 365 organization. If you have any requirements, you can share them in the comment section. Happy auditing!