15 Useful PowerShell Scripts to Audit Office 365 Activities 

Auditing plays a vital role in monitoring activities performed in the Microsoft 365 organization. Office 365 audit reports will be helpful to identify security events, monitor user activities, track file sharing, investigate forensic events, etc.

Most admins prefer PowerShell over Audit log search due to its speed and customization. If you are one of them, this blog will lend a hand to monitor your Office 365 environment efficiently using PowerShell.  

TheSearch-UnifiedAuditLog’ cmdlet is used to retrieve audit logs, but you may face a few challenges while using it.  

  • The cmdlet will list a plethora of results. If you are a newbie, it will be hard to get the required result.  
  • You can get a maximum of 5000 audit records for each Search-UnifiedAuditLog call. It can be achieved by using the ‘ResultSize’ parameter. If the specific time range has more than 5000 data, you need to call SearchUnifiedAuditLog again and again with ‘SessionId’ until you get all records.   
  • Even if you use ‘SessionId’, you can get 50,000 records for a given period. If it exceeds the limit, you can’t retrieve all records. It results in partial data retrieval.  
  • The retrieved data is in JSON format. You must convert them to proceed further.  

By considering these challenges, we have created the 15 most required scripts for Office 365 admins to monitor their organization. Let’s see them in detail. 

 

Monitor User Activities: 

 

Audit Mailbox and Email Activities: 

 

Track SharePoint File Sharing & Access: 

 

How to Schedule Audit Reports to Keep Older Data:  

With basic Office 365 licensing, you can only retrieve audit logs for the last 90 days. To get audit data for more than 90 days, you will require an advanced auditing license such as E5, A5, G5, etc. Few months back, admins could retrieve audit data for one year for all the license types. We are not sure whether it’s a Microsoft feature or a bug. Still, it works in a few tenants (luckily, mine is one of them!). You can check for your tenant too. 

If it’s not work in your tenant, you can schedule the PowerShell scripts to run periodically to keep older data. All our scripts are scheduler-friendly, which helps to store the audit data for more than 90 days.   

  

I hope this blog is useful to audit your Office 365 organization. If you have any requirements, you can share them in the comment section. Happy auditing!