Audit logs

Question

Hi All

I have few DLs created in office365, i want to know who has created those DL's . From the audit logs under compliance search (https://compliance.microsoft.com/auditlogsearch) i am unable to know who has created these DLs or i am not searching in the correct way. From exchange admin center when i run the admin audit log report i can see only 500 entries. experts guide me on this.

Answer 1

Hi @Glenn Maxwell

Yes, I test in my environment, the commands above work for find who perform the add/remove DL member operation

Search-AdminAuditLog -Cmdlets Add-DistributionGroupMember -ObjectIds name | Export-Csv -Path C:\temp\MemberAdded.csv -NoTypeInformation  
Search-AdminAuditLog -Cmdlets Remove-DistributionGroupMember -ObjectIds name | Export-Csv -Path C:\temp\MemberRemoved.csv -NoTypeInformation  

Please note that The ObjectIds parameter filters the results by the object that was modified (the mailbox, public folder, Send connector, transport rule, accepted domain, etc. that the cmdlet operated on). A valid value depends on how the object is represented in the audit log. For example:

• Name
• Canonical distinguished name (for example, contoso.com/Users/Akia Al-Zuhairi)
• Public folder identity (for example, \Engineering\Customer Discussion)

If the group is o365 group and was created within the last 90 days, we could use the commands below to check who created the group

$groupname = "******@contoso.com"      
$Group = Get-UnifiedGroup $groupname       
$date = Get-Date -Date ($Group.WhenCreatedUTC).DateTime      
Search-UnifiedAuditLog -StartDate $date.AddSeconds(-5) -EndDate $date.AddSeconds(5) -Operations 'Add Group' | Select-Object -Property UserIds  

For the operation saa/remove members in o365 group, try using this:

Search-AdminAuditLog -Cmdlets Set-UnifiedGroup -ObjectIds xx  

---

If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
 

Answer 2

will the below syntaxes work for Add/Remove Distributiongroup member.

Search-AdminAuditLog -Cmdlets Add-DistributionGroupMember -ObjectIds dl1@Company portal .com | Export-Csv -Path C:\temp\MemberAdded.csv -NoTypeInformation
Search-AdminAuditLog -Cmdlets Remove-DistributionGroupMember -ObjectIds dl2@Company portal .com | Export-Csv -Path C:\temp\MemberRemoved.csv -NoTypeInformation

for unified groups do i need to use the below syntax.
Search-UnifiedAuditLog | Export-Csv -Path C:\temp\DLCreators.csv -NoTypeInformation

for add/remove members to unified group what will be the syntax.

Answer 3

Hi GlennMaxwell,
in addition to SaadKahn's anwer, maybe you want to try Search-UnifiedAuditLog too:
https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps

Alex

Answer 4

You can only find who created DL's within 90 days as this is default period for which these logs are kept.
Search-AdminAuditLog -Cmdlets New-DistributionGroup | Export-Csv -Path C:\temp\DLCreators.csv -NoTypeInformation
Above will return the report in temp folder, you can find and check details.
PS - connect to EXO on PowerShell ISE before running above command.
https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps