Admin Audit logs.

Microsoft Q & A 381 Reputation points
2022-08-23T13:28:35.96+00:00

We want to know who has created a contact in office 365. Can we get the result with the help of PowerShell command as we have lots of admin audit log entries in our tenant.

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,241 questions
{count} vote

4 answers

Sort by: Most helpful
  1. Vasil Michev 96,836 Reputation points MVP
    2022-08-23T14:45:34.637+00:00

    Are we talking about a contact within a mailbox, or a contact created in the GAL? For the former, you need to check the mailbox audit log as detailed here: https://learn.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing?view=o365-worldwide
    Keep in mind that owner actions are NOT audited by default, so if this is a user mailbox and the owner created the contact, you'll find no record on it.

    If it is a GAL contact, run a search against the Admin audit log/Unified audit log: https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide

    1 person found this answer helpful.

  2. Said A 791 Reputation points
    2022-08-23T23:15:10.467+00:00

    You will need to search the Audit Log for any the following operation: New-MailContact

    Connect to Compliance and Security powershell module: https://learn.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps

    Verify if the audit log is enabled for your tenant: Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

    Make sure you have the required permissions: You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center.

    Use the following command: https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps
    Example: Search-UnifiedAuditLog -Operations New-MailContact

    NOTE: audit log are subject to retention policies defined by default by Microsoft, 1 year for E5 users and 90 days for non-E5 users.
    Details: https://learn.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide

    1 person found this answer helpful.
    0 comments No comments

  3. Sameh Sobhy Abdelrady 6 Reputation points
    2022-08-30T10:36:04.743+00:00

    Hi, I'm here to confirm with you if your issue has been resolved. If the problem is successfully solved, you can share your solution and mark them or the helpful reply as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.

    0 comments No comments

  4. Sameh Sobhy Abdelrady 6 Reputation points
    2022-08-30T10:37:50.683+00:00

    I CAN NOT ASK QUESTION

    0 comments No comments