Skip to content

tenant auditlog report

Gets audit logs from the Office 365 Management API

Usage

m365 tenant auditlog report [options]

Options

-c, --contentType <contentType>
Audit content type of logs to be retrieved, should be one of the following: AzureActiveDirectory, Exchange, SharePoint, General, DLP.
-s, --startTime [startTime]
Start time of logs to be retrieved. Start time and end time must be less than or equal to 24 hours apart. Start time is mandatory if End time is specified.
-e, --endTime [endTime]
End time of logs to be retrieved. Start time and end time must be less than or equal to 24 hours apart. If End time is not specified, command will assume the End time to be 24 hours from the specified Start time.
-h, --help
output usage information
--query [query]
JMESPath query string. See http://jmespath.org/ for more information and examples
-o, --output [output]
Output type. json,text. Default text
--verbose
Runs command with verbose logging
--debug
Runs command with debug logging

Remarks

By default, if startTime and endTime are not mentioned, then the content available in the last 24 hours is returned. startTime and endTime must be less than or equal to 24 hours apart, with the startTime prior to endTime and startTime no more than 7 days in the past.

If endTime is not specified, command will assume the endTime to be 24 hours from the specified startTime. startTime is mandatory if endTime is specified.

DLP audit log data is only available to users that have been granted “Read DLP sensitive data” permission. Otherwise you will get Error: Request failed with status code 401

Examples

Gets audit logs from the Office 365 Management API for the Exchange content type.

m365 tenant auditlog report --contentType "Exchange"

Gets audit logs from the Office 365 Management API for the Exchange content type in the date range between 2020-12-13 and 2020-12-14

m365 tenant auditlog report --contentType "Exchange" --startTime "2020-12-13" --endTime "2020-12-14"

Gets audit logs from the Office 365 Management API for the Exchange content type between 15:00 hours and 16:00 hours on 2020-12-13

m365 tenant auditlog report --contentType "Exchange" --startTime "2020-12-13T15:00:00" --endTime "2020-12-13T16:00:00"

Gets audit logs from the Office 365 Management API for the Exchange content type between 23:00 hours on 2020-12-13 and 05:00 hours on 2020-12-14

m365 tenant auditlog report --contentType "Exchange" --startTime "2020-12-13T23:00:00" --endTime "2020-12-14T05:00:00"

More information