Pulling Office365 Audit Logs when WebUI doesn’t work

Last Updated: September 8th, 2019/Published On: August 29th, 2019/By /Views: 3242/

Microsoft Office365 audit logs can provide a great deal of useful information when looking for answers about your organization’s use of Office365.

Learn more about Office365 audit logs

Microsoft cloud services include several auditing and reporting features you can use to track user and administrative activity within their tenant, Examples include changes made to Exchange Online and SharePoint Online tenant configuration settings, and changes made by users to documents and other items. You can use audit information and reports available in Microsoft cloud services to more effectively manage user experience, mitigate risks, and fulfill compliance obligations.

You must have an E5 license to use the WebUI. If you do not, first enable audit logging, wait a few days for collection and then try the following:

Connect to Office365 via PowerShell one of two ways: 

  1. Option 1
    1. Import-Module MSOnline
    2. $LiveCred = Get-Credential
    3. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
      Import-PSSession $Session
    4. Connect-MsolService –Credential $LiveCred
  2. Option 2 – if you don’t have the module installed in PS or get errors
    1. Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted ​
    2. $UserCredential = Get-Credential​​
    3. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection​​
    4. Import-PSSession $Session​​

Run the following command changing username and dates:

(Open-ended search): Search-MailboxAuditLog <username> -LogonTypes Admin,Delegate -ShowDetails
(Detailed search): Search-MailboxAuditLog -Identity <username> -LogonTypes Owner -ShowDetails -StartDate 1/1/2016 -EndDate 3/1/2016 | Where-Object {$_.Operation -eq “Update”}


Categories: Blog, Product SpecificTags:

Table of Contents