o365

Get O365 AuditLog and sign-ins:

# install modules 
Install-Module -Name ExchangeOnlineManagement
Install-Module -Name MSOnline
Install-Module -Name AzureAD


# Import required modules
Import-Module MSOnline
Import-Module AzureAD
Import-Module ExchangeOnlineManagement

# Connect to services
Connect-MsolService
Connect-AzureAD
Connect-ExchangeOnline

# Define the date from which you want to start the search
$startDate = Get-Date -Date "yyyy-MM-dd" # Replace yyyy-MM-dd with your start date

# Search the audit log
$auditLogEntries = Search-UnifiedAuditLog -StartDate $startDate -EndDate (Get-Date)

# Sign-Ins 
Get-AzureADAuditSignInLogs | Export-Csv AzureSignIns.csv

# Export the results
$auditLogEntries | Export-csv AuditLog.csv

export Exchange mailbox:

Exchange Online/ O365:

https://www.codetwo.com/admins-blog/export-microsoft-365-mailboxes-to-pst-powershell/

Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName USERNAME
Connect-IPPSSession -UserPrincipalName USERNAME
New-ComplianceSearch "your_descriptive_name" -ExchangeLocation all | Start-ComplianceSearch
New-ComplianceSearchAction "your_descriptive_name" -Export -Format Fxstream
Get-ComplianceSearchAction "your_descriptive_name_export" -IncludeCredential | FL

Powershell Audit Log extraction - o365:

#Modify the values for the following variables to configure the audit log search.
$logFile = "C:\temp\AuditLogSearchLog.txt"
$outputFile = "C:\temp\AuditLogRecords.csv"
[DateTime]$start = [DateTime]::UtcNow.AddDays(-52)
[DateTime]$end = [DateTime]::UtcNow
$record = $null
$resultSize = 5000
$intervalMinutes = 60

#Start script
[DateTime]$currentStart = $start
[DateTime]$currentEnd = $end

Function Write-LogFile ([String]$Message)
{
    $final = [DateTime]::Now.ToUniversalTime().ToString("s") + ":" + $Message
    $final | Out-File $logFile -Append
}

Write-LogFile "BEGIN: Retrieving audit records between $($start) and $($end), RecordType=$record, PageSize=$resultSize."
Write-Host "Retrieving audit records for the date range between $($start) and $($end), RecordType=$record, ResultsSize=$resultSize"

$totalCount = 0
while ($true)
{
    $currentEnd = $currentStart.AddMinutes($intervalMinutes)
    if ($currentEnd -gt $end)
    {
        $currentEnd = $end
    }

    if ($currentStart -eq $currentEnd)
    {
        break
    }

    $sessionID = [Guid]::NewGuid().ToString() + "_" +  "ExtractLogs" + (Get-Date).ToString("yyyyMMddHHmmssfff")
    Write-LogFile "INFO: Retrieving audit records for activities performed between $($currentStart) and $($currentEnd)"
    Write-Host "Retrieving audit records for activities performed between $($currentStart) and $($currentEnd)"
    $currentCount = 0

    $sw = [Diagnostics.StopWatch]::StartNew()
    do
    {
        $results = Search-UnifiedAuditLog -StartDate $currentStart -EndDate $currentEnd -RecordType $record -SessionId $sessionID -SessionCommand ReturnLargeSet -ResultSize $resultSize

        if (($results | Measure-Object).Count -ne 0)
        {
            $results | export-csv -Path $outputFile -Append -NoTypeInformation

            $currentTotal = $results[0].ResultCount
            $totalCount += $results.Count
            $currentCount += $results.Count
            Write-LogFile "INFO: Retrieved $($currentCount) audit records out of the total $($currentTotal)"

            if ($currentTotal -eq $results[$results.Count - 1].ResultIndex)
            {
                $message = "INFO: Successfully retrieved $($currentTotal) audit records for the current time range. Moving on!"
                Write-LogFile $message
                Write-Host "Successfully retrieved $($currentTotal) audit records for the current time range. Moving on to the next interval." -foregroundColor Yellow
                ""
                break
            }
        }
    }
    while (($results | Measure-Object).Count -ne 0)

    $currentStart = $currentEnd
}

Write-LogFile "END: Retrieving audit records between $($start) and $($end), RecordType=$record, PageSize=$resultSize, total count: $totalCount."
Write-Host "Script complete! Finished retrieving audit records for the date range between $($start) and $($end). Total count: $totalCount" -foregroundColor Green

on prem:

New-MailboxExportRequest -Mailbox “Test Mailbox” -FilePath “\SERVER01\PST\Testmailbox.pst”

o365 Log location: 

Search-MailboxAuditLog
Search-MailboxAuditLog -Identity <user> -LogonTypes Admin,Delegate -StartDate 1/1/2018 -EndDate 12/31/2018

Search-UnifiedAuditLog  -StartDate <date> -EndDate <date> -FreeText (Get-Mailbox <mailbox identity>).ExchangeGuid

  1. Log in to your Microsoft 365 account

  2. In the left-hand pane of the Security & Compliance Center, click on “Audit Log Search”

  3. Choose the activities and dates you want to view, as well as any specific users, files, folders, or sites you want to filter

  4. Click “Search”

  5. Click on a specific event to open the “Details” page

  6. Filter or export the results

Activities: Under Exchange mailbox activities, select one or both of the following activities:

  • New-InboxRule Create new inbox rule from Outlook Web App. This activity returns audit records when inbox rules are created using Outlook web app or Exchange Online PowerShell.

  • Updated inbox rules from Outlook client. This activity returns audit records when inbox rules are created, modified, or removed using the Outlook desktop clien

PreviousScheduled TasksNextMailbox Rules

Last updated