Audit logs

Glenn Maxwell 11,476 Reputation points
2021-04-10T18:16:40.777+00:00

Hi All

I have few DLs created in office365, i want to know who has created those DL's . From the audit logs under compliance search (https://compliance.microsoft.com/auditlogsearch) i am unable to know who has created these DLs or i am not searching in the correct way. From exchange admin center when i run the admin audit log report i can see only 500 entries. experts guide me on this.

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,558 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,653 questions
0 comments No comments
{count} votes

Accepted answer
  1. Joyce Shen - MSFT 16,666 Reputation points
    2021-04-12T07:10:42.88+00:00

    Hi @Glenn Maxwell

    Yes, I test in my environment, the commands above work for find who perform the add/remove DL member operation

    Search-AdminAuditLog -Cmdlets Add-DistributionGroupMember -ObjectIds name | Export-Csv -Path C:\temp\MemberAdded.csv -NoTypeInformation  
    Search-AdminAuditLog -Cmdlets Remove-DistributionGroupMember -ObjectIds name | Export-Csv -Path C:\temp\MemberRemoved.csv -NoTypeInformation  
    

    Please note that The ObjectIds parameter filters the results by the object that was modified (the mailbox, public folder, Send connector, transport rule, accepted domain, etc. that the cmdlet operated on). A valid value depends on how the object is represented in the audit log. For example:

    • Name
    • Canonical distinguished name (for example, contoso.com/Users/Akia Al-Zuhairi)
    • Public folder identity (for example, \Engineering\Customer Discussion)

    If the group is o365 group and was created within the last 90 days, we could use the commands below to check who created the group

    $groupname = "group@contoso.com"      
    $Group = Get-UnifiedGroup $groupname       
    $date = Get-Date -Date ($Group.WhenCreatedUTC).DateTime      
    Search-UnifiedAuditLog -StartDate $date.AddSeconds(-5) -EndDate $date.AddSeconds(5) -Operations 'Add Group' | Select-Object -Property UserIds  
    

    86668-qa-2021-04-12-14-47-07.png

    For the operation saa/remove members in o365 group, try using this:

    Search-AdminAuditLog -Cmdlets Set-UnifiedGroup -ObjectIds xx  
    

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
     

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Saad Khan 11 Reputation points
    2021-04-11T21:15:24.493+00:00

    You can only find who created DL's within 90 days as this is default period for which these logs are kept.
    Search-AdminAuditLog -Cmdlets New-DistributionGroup | Export-Csv -Path C:\temp\DLCreators.csv -NoTypeInformation
    Above will return the report in temp folder, you can find and check details.
    PS - connect to EXO on PowerShell ISE before running above command.
    https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps

    0 comments No comments

  2. AlexC 246 Reputation points
    2021-04-11T21:21:34.737+00:00

    Hi GlennMaxwell,
    in addition to SaadKahn's anwer, maybe you want to try Search-UnifiedAuditLog too:
    https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps

    Alex

    0 comments No comments

  3. Glenn Maxwell 11,476 Reputation points
    2021-04-12T01:44:44.887+00:00

    will the below syntaxes work for Add/Remove Distributiongroup member.

    Search-AdminAuditLog -Cmdlets Add-DistributionGroupMember -ObjectIds dl1@Company portal .com | Export-Csv -Path C:\temp\MemberAdded.csv -NoTypeInformation
    Search-AdminAuditLog -Cmdlets Remove-DistributionGroupMember -ObjectIds dl2@Company portal .com | Export-Csv -Path C:\temp\MemberRemoved.csv -NoTypeInformation

    for unified groups do i need to use the below syntax.
    Search-UnifiedAuditLog | Export-Csv -Path C:\temp\DLCreators.csv -NoTypeInformation

    for add/remove members to unified group what will be the syntax.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.