This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We want to know who has created a contact in office 365. Can we get the result with the help of PowerShell command as we have lots of admin audit log entries in our tenant.
Hi @Microsoft Q & A
As @Vasil Michev and @Said A said, you could use the cmdlet
Search-UnifiedAuditLog -StartDate -EndDate -Operations New-MailContact
Refer to these documents:
https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#step-1-run-an-audit-log-search
https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps
You could mark the useful reply as answer.
Are we talking about a contact within a mailbox, or a contact created in the GAL? For the former, you need to check the mailbox audit log as detailed here: https://learn.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing?view=o365-worldwide
Keep in mind that owner actions are NOT audited by default, so if this is a user mailbox and the owner created the contact, you'll find no record on it.
If it is a GAL contact, run a search against the Admin audit log/Unified audit log: https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide
Hello
In our case it is mail contact with external email address. We want to know who has created this mail contact in office 365. It is not synced with AD and created in cloud.
Do we have any powershell command to search the admin audit logs for that specific mail contact to know who has created it at the very first place.
Search the Unified audit log for the New-MailContact operation, you will find detailed instructions in the article I linked to above.
You will need to search the Audit Log for any the following operation: New-MailContact
Connect to Compliance and Security powershell module: https://learn.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps
Verify if the audit log is enabled for your tenant: Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
Make sure you have the required permissions: You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center.
Use the following command: https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps
Example: Search-UnifiedAuditLog -Operations New-MailContact
NOTE: audit log are subject to retention policies defined by default by Microsoft, 1 year for E5 users and 90 days for non-E5 users.
Details: https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide
Hi, I'm here to confirm with you if your issue has been resolved. If the problem is successfully solved, you can share your solution and mark them or the helpful reply as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Hi, I'm here to confirm with you if your issue has been resolved. If the problem is successfully solved, you can share your solution and mark them or the helpful reply as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Hello, is there any progress on your issue?