15 Useful PowerShell Scripts to Audit Office 365 Activities
Auditing plays a vital role in monitoring activities performed in the Microsoft 365 organization. Office 365 audit reports will be helpful to identify security events, monitor user activities, track file sharing, investigate forensic events, etc.
Most admins prefer PowerShell over Audit log search due to its speed and customization. If you are one of them, this blog will lend a hand to monitor your Office 365 environment efficiently using PowerShell.
The ‘Search-UnifiedAuditLog’ cmdlet is used to retrieve audit logs, but you may face a few challenges while using it.
- The cmdlet will list a plethora of results. If you are a newbie, it will be hard to get the required result.
- You can get a maximum of 5000 audit records for each Search-UnifiedAuditLog call. It can be achieved by using the ‘ResultSize’ parameter. If the specific time range has more than 5000 data, you need to call Search–UnifiedAuditLog again and again with ‘SessionId’ until you get all records.
- Even if you use ‘SessionId’, you can get 50,000 records for a given period. If it exceeds the limit, you can’t retrieve all records. It results in partial data retrieval.
- The retrieved data is in JSON format. You must convert them to proceed further.
By considering these challenges, we have created the 15 most required scripts for Office 365 admins to monitor their organization. Let’s see them in detail.
Monitor User Activities:
- Office 365 users logon history report – Helps to monitor Office 365 users’ login activities and identify unusual login patterns.
- User activity report – Lists all the activities performed by a specific user or admin to track any suspicious activity.
- Audit External user activities report – Helps to inspect external users’ activities to prevent security threats & data leakage.
- Teams meeting attendance report – Exports all the team meetings and the participant’s lists to a CSV file
Audit Mailbox and Email Activities:
- Non-owner mailbox access report – Helps to track who accessed another users’ mailbox and when.
- Mail traffic report – Shows the number of emails sent and received by users for a day.
- Audit email deletion report – Exports who deleted which mail and when. It helps to track accidental and intentional email deletions.
- Audit SendAs emails – Helps to track emails sent by delegates using SendAs privilege.
- Audit who sent emails from a shared mailbox – Identifies who sent emails from shared mailboxes using SendAs and SendOnBehalf permission.
- Audit mailbox permission changes – Detects who modified mailbox permission changes and when.
Track SharePoint File Sharing & Access:
- External user file access report – Shows a list of files accessed by external users and when they accessed them.
- Audit external sharing report – Helps to get a list of files and folders shared with external users to monitor sensitive information leakage.
- Anonymous link sharing & access report – Audits anonymous link creation, modification, removal, and access in SharePoint Online and OneDrive.
- Audit file deletion report – Exports who deleted what file and when from SharePoint Online and OneDrive
- Audit SPO group membership changes – Monitors addition and removal of members in SharePoint Online groups.
How to Schedule Audit Reports:
With basic Office 365 licensing, you can only retrieve audit logs for the last 90 days. To get audit data for more than 90 days, you will require an advanced auditing license such as E5, A5, G5, etc. Few months back, admins could retrieve audit data for one year for all the license types. We are not sure whether it’s a Microsoft feature or a bug. Still, it works in a few tenants (luckily, mine is one of them!). You can check for your tenant too.
If it’s not work in your tenant, you can schedule the PowerShell scripts to run periodically to keep older data. All our scripts are scheduler-friendly, which helps to store the audit data for more than 90 days.
Keep Office 365 Audit Log for a Longer Period with AdminDroid:
Office 365 audit logs generate a large amount of audit data, which can be difficult to analyze manually and time-consuming process. This is where an auditing tool comes in. AdminDroid offers an Office 365 auditing tool that simplifies the auditing process and provides you with valuable insights into your organization’s activities.
AdminDroid provides 800+ auditing reports on various Office 365 services which include,
- Azure AD auditing reports: With these reports, admins can monitor user logins, user activities, group activities, license changes, password changes, application activities, etc. and other 120+ reports are available for free.
- Exchange Online auditing reports: These reports help monitoring Office 365 mailbox activities, access permissions, management operations, and configuration changes.
- Email monitoring reports: Email reports help to track email activities, email traffic, inactive users, peak periods, slack periods, spam, malware, phishing emails, and more to mitigate email threats in the organization.
- SharePoint auditing reports: SPO auditing reports provide detailed info on user permissions to site contents, sharing and access, file activities, external sharing & access, and DLP actions to protect the organization’s data.
- OneDrive auditing reports: These reports help to audit when, how, and who performed the file/ folder activities, OneDrive link creations and removals, and external sharing to prevent users’ confidential information from getting leaked.
- MS Teams auditing reports: Teams reports offer insights into various aspects of Teams usage, including login activities, private channel and membership changes, configuration changes, and Teams file transfers to help organizations gain a better understanding of their Teams usage.
- Yammer auditing reports: Provide reports on inactive users, inactive groups, device usage, and daily Yammer activities.
- Power BI auditing reports: Help to keep an eye on activities on Power BI dashboards, reports, apps, datasets and dataflows to regulate Power BI usage.
- Stream auditing reports: Enables admins to track various video activities, such as creation, modification, deletion, restoration, and uploads.
Additionally, admins can configure Microsoft 365 alerts to keep track of critical activities happening across Microsoft 365 tenant in real-time via email alerts. With AdminDroid, admins can get email alerts on 1400+ activities. This enables them to quickly respond to potential security threats and take necessary actions to prevent any data breaches.
Gain valuable insights to ensure the security and compliance of your organization using AdminDroid Microsoft 365 reporter. Try it out now and discover the benefits of data visualization and analysis.
I hope this blog is useful to audit your Office 365 organization. If you have any requirements, you can share them in the comment section. Happy auditing!