Audit Logs

Roger Roger 5,046 Reputation points
2022-08-15T19:43:11.533+00:00

Hi All

one of my unified group ug@Company portal .com is deleted, i want to know from the audit logs who has deleted the group..

i have tried the below syntax but i could not get the information.

Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-90) -Operations "Delete Group" | export-csv c:\temp\logs.csv -NotTypeinformation  
  
or  
  
Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-90) -Operations "GroupRemoved" | export-csv c:\temp\logs.csv -NotTypeinformation  

how can i export the logs of last 30 days only.

SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
10,048 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,315 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,435 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 98,206 Reputation points MVP
    2022-08-15T20:11:04.533+00:00

    The operation to search for should be "Delete group.", note the dot is mandatory as detailed in the official documentation: https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#azure-ad-group-administration-activities
    As for limiting the range to 30 days, simply adjust your start date value:

    Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-30) -Operations "Delete Group." | export-csv c:\temp\logs.csv -NotTypeinformation  
    

    Alternatively, you can narrow the search down by the Group's objectID (-ObjectIds parameter). Or if you don't have the objectId, a free-text search based on the group's name:

    Search-UnifiedAuditLog -EndDate (Get-Date) -StartDate (Get-Date).AddDays(-30) -FreeText groupname  
    
    0 comments No comments

0 additional answers

Sort by: Most helpful