Get-PnPUnifiedAuditLog
SYNOPSIS
Required Permissions
- Microsoft Office 365 Management API: ActivityFeed.Read, Microsoft Office 365 Management API: ActivityFeed.ReadDlp, Microsoft Office 365 Management API: ActivityReports.Read, Microsoft Office 365 Management API: ServiceHealth.Read and Microsoft Office 365 Management API:ThreatIntelligence.Read
Gets unified audit logs from the Office 365 Management API. Requires the Azure Entra application permission 'ActivityFeed.Read', 'ActivityFeed.ReadDlp', 'ActivityReports.Read', 'ServiceHealth.Read' and 'ThreatIntelligence.Read'.
Before you can access audit log data, you must enable unified audit logging for your Microsoft 365 tenant. For instructions, check out the page Turn auditing on or off.
When running this command for the first time for a certain content type, a subscription for this content type is created. It can take up to 12 hours for the first content blobs to become available for that subscription.
Retrieving audit logs is an intensive process, especially for large or active tenants. In this case it may take some time to retrieve all audit logs.
SYNTAX
Get-PnPUnifiedAuditLog [-ContentType <AuditContentType>] [-StartTime <DateTime>] [-EndTime <DateTime>]
DESCRIPTION
Allows to retrieve unified audit logs from the Office 365 Management API.
Prerequisites
Your Entra app registration must have one or more of the following delegated or application permissions from the Office 365 Management API. To add this permission using Azure CLI:
# ActivityFeed.Read - Read activity data for your organization
az ad app permission add --id <your-app-id> --api c5393580-f805-4401-95e8-94b7a6ef2fc2 --api-permissions 594c1fb6-4f81-4475-ae41-0c394909246c=Scope
az ad app permission admin-consent --id <your-app-id>
The API ID c5393580-f805-4401-95e8-94b7a6ef2fc2 represents the Office 365 Management API. Depending on your content type requirements, you may need additional permissions:
- ActivityFeed.ReadDlp - For DLP content
- ServiceHealth.Read - For service health information
- ActivityReports.Read - For activity reports
- ThreatIntelligence.Read - For threat intelligence data
For application (app-only) permissions, replace =Scope with =Role in the command above.
EXAMPLES
EXAMPLE 1
Get-PnPUnifiedAuditLog -ContentType SharePoint -StartTime (Get-Date -asUtc).AddDays(-2) -EndTime (Get-Date -asUtc).AddDays(-1)
Retrieves the audit logs of SharePoint happening between the current time yesterday and the current time the day before yesterday
PARAMETERS
-ContentType
Content type of logs to be retrieved, should be one of the following: AzureActiveDirectory, Exchange, SharePoint, General, DLP.
Type: AuditContentType
Parameter Sets: (All)
Accepted values: AzureActiveDirectory, Exchange, SharePoint, General, DLP
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-EndTime
UTC end time of logs to be retrieved. Start time and end time must both be specified (or both omitted) and must be less than or equal to 24 hours apart. If passed as a string this should be defined as a valid ISO 8601 string (2024-01-16T18:28:48.6964197Z). If you don't include a timestamp in the value, the default timestamp is 12:00 AM (midnight) on the specified date.
Type: DateTime
Parameter Sets: (All)
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-StartTime
UTC start time of logs to be retrieved. Start time and end time must both be specified (or both omitted) and must be less than or equal to 24 hours apart, with the start time prior to end time and start time no more than 7 days in the past. If passed as a string this should be defined as a valid ISO 8601 string (2024-01-16T18:28:48.6964197Z). If you don't include a timestamp in the value, the default timestamp is 12:00 AM (midnight) on the specified date.
Type: DateTime
Parameter Sets: (All)
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False