Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

10 thoughts on “SharePoint Online: How to View Audit Log Reports in Security & Compliance Center?

  • Hi Salaudeen,
    thanks for sharing the script to download SharePoint logs. The issue I have when using it is that the .csv file only have 100 lines and most of the logs are not exported. Do you know how can I resolve this?
    the second issue is when I try to use the filter part I have the following error:

    s#Filter : The term ‘s#Filter’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
    At line:13 char:1
    + s#Filter Audit log to Find specific operations
    + ~~~~~~~~
    + CategoryInfo : ObjectNotFound: (s#Filter:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Export-Csv : A parameter cannot be found that matches parameter name ‘Force#Filter’.
    At line:18 char:167
    + … ientIP | Export-csv $CSVFile -NoTypeInformation -Force#Filter Audit l …
    + ~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Export-Csv], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.ExportCsvCommand

    I will appreciate if you can help me with resolution of both issues.


    • “S#” is a typo, that’s fixed now! If you are not getting data – Please check the filters like Start Date – End Date.

  • Can we use Azure app to retrieve audit logs? My requirement is to use certificate thumbprint to connect to exchange online and get the logs for specific site. Once I connect with EXO and run the command Search-UnifiedAuditLog, I get the error that cmdlet is not recognised. I have provided the ‘View-Only Audit Logs’ permissions through the custom role group to the app using the below solution on the stack overflow

    • We have resolved this by using the service principal id i.e. (Enterprise app id) instead of regular app id (under App Registration)

  • Hi there,
    Does anyone know the answers to these questions?:

    (i) In the output reports is UserKey – eg :”i:0h.f|membership|” – does anyone know how to find the corresponding UserID on the Microsoft system, eg thru admin screens? Does anyone know what this UserKey is?

    (ii) for deleted items – eg SharePoint list columns, for example – how can you find out the display name for the item? The audit report shows the ObjectId (xxxxxxxx-exxx-xxx7-bxxx-ab3fxxxfaxxx). Thanks!

  • Hello – What are the minimum roles required to run Search-UnifiedAuditLog? Possibly Compliance Administrator or Security Administrator, or is Global Administrator required? Thank you

    • Apart from minimum roles like “View-Only Audit Logs”, “Global Reader”, etc. You can use the Graph API to get the Logs.

  • How can I fetch large result set audit log, it throws error : Starting a command on the remote server failed with the following error message : The
    I/O operation has been aborted because of either a thread exit or an application
    request. For more information, see the about_Remote_Troubleshooting Help topic.
    And reestablish the connect but in mean while it doesn’t return record for given time interval, I am trying to fetch record of 30 minutes interval for given start and end date, also retry mechanism is applied still getting random result count

  • I have to extract all events of a specific file.. Please help.

    • Use “ObjectIds” parameter with your file name. E.g:
      $AuditLog = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date).AddDays(+1) -Operations FileModified, FileAccessed, FileUploaded -ObjectIds -ResultSize 1000


Leave a Reply

Your email address will not be published. Required fields are marked *