none
Search-UnifiedAuditLog for site admin actions RRS feed

  • Question

  • I cannot find a recordtype in the Search-UnifiedAuditLog cmdlet that will extract data from the "User Administration Activities" section of the audit log search in the portal. I would really like to have this as an option in a PowerShell script, along with a handful of other logs. 

    Am I missing something, or is this information not available to be extracted through PowerShell? 

    I'm using this page as reference: https://technet.microsoft.com/en-us/library/mt238501%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396

    Monday, September 18, 2017 11:45 PM

All replies

  • Well, I think I answered my question... Sort of. 

    Looks like these logs are pulled from Azure, not from O365/EXO, like the UnifiedAuditLogs are. 

    So, to get logs for administrative actions such as creating and removing users, you want to install AzureRM, login-AzureRMAccount, then run Get-AzureRMLog. 

    However, when I run Get-AzureRMLog, I get 0 results but no error. I've confirmed I'm connected to my AzureAD subscription, logged in using my admin account, and run using various parameters. However, I never get any results. 

    Conversely, when I log into portal.azure.com using those same credentials, then choose Azure Active Directory -> Audit Logs, I can see all the logs I need. 

    Any idea why this is happening to me? 

    Wednesday, September 20, 2017 10:18 PM