Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

12 thoughts on “SharePoint Online: How to View Audit Log Reports in Security & Compliance Center?

  • Can the audit report on Compliance admin center be automated? As in, it will automatically run on a monthly basis with the results emailed out?

    Reply
  • Is there a way to pull a report or log that shows each user (or a selected set of users) and the site collections or documents they have the rights to access (whether or not they actually accessed the site collection or documents)?

    Reply
  • Hi Salaudeen,
    thanks for sharing the script to download SharePoint logs. The issue I have when using it is that the .csv file only have 100 lines and most of the logs are not exported. Do you know how can I resolve this?
    the second issue is when I try to use the filter part I have the following error:

    s#Filter : The term ‘s#Filter’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
    again.
    At line:13 char:1
    + s#Filter Audit log to Find specific operations
    + ~~~~~~~~
    + CategoryInfo : ObjectNotFound: (s#Filter:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Export-Csv : A parameter cannot be found that matches parameter name ‘Force#Filter’.
    At line:18 char:167
    + … ientIP | Export-csv $CSVFile -NoTypeInformation -Force#Filter Audit l …
    + ~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Export-Csv], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.ExportCsvCommand

    I will appreciate if you can help me with resolution of both issues.

    Regards
    Mike

    Reply
    • “S#” is a typo, that’s fixed now! If you are not getting data – Please check the filters like Start Date – End Date.

      Reply
  • Can we use Azure app to retrieve audit logs? My requirement is to use certificate thumbprint to connect to exchange online and get the logs for specific site. Once I connect with EXO and run the command Search-UnifiedAuditLog, I get the error that cmdlet is not recognised. I have provided the ‘View-Only Audit Logs’ permissions through the custom role group to the app using the below solution on the stack overflow

    https://stackoverflow.com/questions/74038725/how-can-i-assign-an-exchange-online-role-group-to-a-registered-app

    Reply
    • We have resolved this by using the service principal id i.e. (Enterprise app id) instead of regular app id (under App Registration)

      Reply
  • Hi there,
    Does anyone know the answers to these questions?:

    (i) In the output reports is UserKey – eg :”i:0h.f|membership|1003xxxxxxxxxxxx@live.com” – does anyone know how to find the corresponding UserID on the Microsoft system, eg thru admin screens? Does anyone know what this UserKey is?

    (ii) for deleted items – eg SharePoint list columns, for example – how can you find out the display name for the item? The audit report shows the ObjectId (xxxxxxxx-exxx-xxx7-bxxx-ab3fxxxfaxxx). Thanks!

    Reply
  • Hello – What are the minimum roles required to run Search-UnifiedAuditLog? Possibly Compliance Administrator or Security Administrator, or is Global Administrator required? Thank you

    Reply
    • Apart from minimum roles like “View-Only Audit Logs”, “Global Reader”, etc. You can use the Graph API to get the Logs.

      Reply
  • How can I fetch large result set audit log, it throws error : Starting a command on the remote server failed with the following error message : The
    I/O operation has been aborted because of either a thread exit or an application
    request. For more information, see the about_Remote_Troubleshooting Help topic.
    And reestablish the connect but in mean while it doesn’t return record for given time interval, I am trying to fetch record of 30 minutes interval for given start and end date, also retry mechanism is applied still getting random result count

    Reply
  • I have to extract all events of a specific file.. Please help.

    Reply
    • Use “ObjectIds” parameter with your file name. E.g:
      $AuditLog = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date).AddDays(+1) -Operations FileModified, FileAccessed, FileUploaded -ObjectIds -ResultSize 1000

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *