Prerequisites for using Exchange Online PowerShell
In order to conduct audit logging for Mesh operations, the following prerequisites are required:
Gather audit logs for Mesh
Connect to Exchange Online PowerShell
In PowerShell, load the Exchange Online PowerShell module
Import-Module ExchangeOnlineManagement
Connect and authenticate
Connect-ExchangeOnline -UserPrincipalName [USER]@[AADDOMAIN].com
For more information, see how to connect to Exchange Online PowerShell.
Verify that audit logging is on
Audit logging is turned on by default for Microsoft 365 organizations. However, when setting up a new Microsoft 365 organization, you should verify the auditing status for your organization. For instructions, see how to turn auditing on or off.
Search for Unified AuditLog events
Once you've verified that audit logging is turned on and you have the proper permissions to run cmdlets, you can now search for log records using the Search-UnifiedAuditLog command with various filters.
The audit record contents contain the following fields:
- RecordType - workload type, e.g. SharePoint or MeshWorlds
- CreationDate
- UserIds - users performing an operation.
- Operations - typically Operation Name or Operation Names.
- AuditData - JSON-encoded detailed event data. Contents differ depending on workload type.
- ResultIndex - index of a row in a result returned by PowerShell script (1-N...).
- ResultCount - total count of rows returned by PowerShell script.
- Identity - Azure ID/Microsoft Entra GUID of the user.
Search-UnifiedAuditLog example 1
A basic query for audit logs with -StartDate
and -EndDate
.
Search-UnifiedAuditLog -StartDate 2024-04-01 -EndDate 2024-05-01 | Export-Csv -Path .\export-all.csv -NoTypeInformation
The record contents will come in a format that may be hard to parse initially, but once formatted it should be understandable.
Example response:
"AzureActiveDirectory","4/9/2024 6:49:03 PM","[XXXXXXX]@[XXXXX].com","Update group.","{""CreationTime"":""2024-04-09T18:49:03"",""Id"":""871d4a2e-8e38-488e-a83e-b7a7c6c65228"",""Operation"":""Update group."",""OrganizationId"":""05e05ab5-f8a3-409d-bfa5-01edb8cecf82"",""RecordType"":8,""ResultStatus"":""Success"",""UserKey"":""10032002CCA9134A@meshrp.onmicrosoft.com"",""UserType"":0,""Version"":1,""Workload"":""AzureActiveDirectory"",""ClientIP"":""20.171.55.147"",""ObjectId"":""Group_1ae6e759-85e0-4f8f-b6b5-691b72ca1ba7"",""UserId"":""[XXXXXXX]@[XXXXX].com"",""AzureActiveDirectoryEventType"":1,""ExtendedProperties"":[{""Name"":""additionalDetails"",""Value"":""{\""GroupType\"":\""Unified\"",\""User-Agent\"":\""kiota-dotnet\/1.3.4\""}""},{""Name"":""extendedAuditEventCategory"",""Value"":""Group""}],""ModifiedProperties"":[{""Name"":""Description"",""NewValue"":""[\r\n \""New collection of stuff for M365 Audit feature testing\""\r\n]"",""OldValue"":""[\r\n \""New collection of stuff\""\r\n]""},{""Name"":""MailNickname"",""NewValue"":""[\r\n \""MyCollectionofStuff2272\""\r\n]"",""OldValue"":""[\r\n \""MyCollectionofStuff2\""\r\n]""},{""Name"":""Included Updated Properties"",""NewValue"":""Description, MailNickname"",""OldValue"":""""},{""Name"":""TargetId.GroupType"",""NewValue"":""Unified"",""OldValue"":""""}],""Actor"":[{""ID"":""[XXXXXXX]@[XXXXX].com"",""Type"":5},{""ID"":""10032002CCA9134A"",""Type"":3},{""ID"":""Microsoft Mesh Services"",""Type"":1},{""ID"":""3016d0ce-47cc-4005-b11d-5fcabb1b643d"",""Type"":2},{""ID"":""User_c7e95ea2-64f6-4743-b8e6-52ce520cba81"",""Type"":2},{""ID"":""c7e95ea2-64f6-4743-b8e6-52ce520cba81"",""Type"":2},{""ID"":""User"",""Type"":2}],""ActorContextId"":""05e05ab5-f8a3-409d-bfa5-01edb8cecf82"",""ActorIpAddress"":""20.171.55.147"",""InterSystemsId"":""2cd62b4e-4744-4c55-8a88-e64771393266"",""IntraSystemId"":""0b9fe72c-eca5-4ad5-a9c5-5986e8bc963d"",""SupportTicketId"":"""",""Target"":[{""ID"":""Group_1ae6e759-85e0-4f8f-b6b5-691b72ca1ba7"",""Type"":2},{""ID"":""1ae6e759-85e0-4f8f-b6b5-691b72ca1ba7"",""Type"":2},{""ID"":""Group"",""Type"":2},{""ID"":""My Collection of Stuff 2"",""Type"":1}],""TargetContextId"":""05e05ab5-f8a3-409d-bfa5-01edb8cecf82""}","4","2148","871d4a2e-8e38-488e-a83e-b7a7c6c65228","True","Unchanged"
Search Search-UnifiedAuditLog example 2
A basic query for all audit logs with -Operations
that include the World
string.
Search-UnifiedAuditLog -StartDate 2024-04-01 -EndDate 2024-05-01 -Operations World* | Export-Csv -Path .\export-all-world.csv -NoTypeInformation
Search Search-UnifiedAuditLog example 3
A basic query for all audit logs with -UserIds
that include the [email@company.com]
string.
Search-UnifiedAuditLog -StartDate 2024-04-01 -EndDate 2024-04-10 -UserIds [email@company.com] | Export-Csv -Path .\export-all-Max.csv -NoTypeInformation
The audit log record contents return in a JSON format. AuditData analysis may require a familiarity with parsing text as JSON or XML.
The set of records can be imported to Excel for analysis. For more info, see how to import data from sources into Excel.