Share via

Admin Audit logs.

Microsoft Q & A 386 Reputation points
2022-08-23T13:28:35.96+00:00

We want to know who has created a contact in office 365. Can we get the result with the help of PowerShell command as we have lots of admin audit log entries in our tenant.

Exchange Online
Exchange Online

A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Said A 961 Reputation points
    2022-08-23T23:15:10.467+00:00

    You will need to search the Audit Log for any the following operation: New-MailContact

    Connect to Compliance and Security powershell module: https://learn.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps

    Verify if the audit log is enabled for your tenant: Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

    Make sure you have the required permissions: You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center.

    Use the following command: https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps
    Example: Search-UnifiedAuditLog -Operations New-MailContact

    NOTE: audit log are subject to retention policies defined by default by Microsoft, 1 year for E5 users and 90 days for non-E5 users.
    Details: https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Vasil Michev 126.8K Reputation points MVP Volunteer Moderator
    2022-08-23T14:45:34.637+00:00

    Are we talking about a contact within a mailbox, or a contact created in the GAL? For the former, you need to check the mailbox audit log as detailed here: https://learn.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing?view=o365-worldwide
    Keep in mind that owner actions are NOT audited by default, so if this is a user mailbox and the owner created the contact, you'll find no record on it.

    If it is a GAL contact, run a search against the Admin audit log/Unified audit log: https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide

    Was this answer helpful?

    1 person found this answer helpful.
  3. Sameh Sobhy Abdelrady 6 Reputation points
    2022-08-30T10:37:50.683+00:00

    I CAN NOT ASK QUESTION

    Was this answer helpful?

    0 comments
  4. Sameh Sobhy Abdelrady 6 Reputation points
    2022-08-30T10:36:04.743+00:00

    Hi, I'm here to confirm with you if your issue has been resolved. If the problem is successfully solved, you can share your solution and mark them or the helpful reply as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.