question

GlennMaxwell-2309 avatar image
0 Votes"
GlennMaxwell-2309 asked emilyhua-msft edited

Audit logs

Hi All

I have few DLs created in office365, i want to know who has created those DL's . From the audit logs under compliance search (https://compliance.microsoft.com/auditlogsearch) i am unable to know who has created these DLs or i am not searching in the correct way. From exchange admin center when i run the admin audit log report i can see only 500 entries. experts guide me on this.

office-exchange-server-administrationoffice-exchange-online-itprooffice-exchange-server-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

joyceshen-MSFT avatar image
0 Votes"
joyceshen-MSFT answered

Hi @GlennMaxwell-2309

Yes, I test in my environment, the commands above work for find who perform the add/remove DL member operation

 Search-AdminAuditLog -Cmdlets Add-DistributionGroupMember -ObjectIds name | Export-Csv -Path C:\temp\MemberAdded.csv -NoTypeInformation
 Search-AdminAuditLog -Cmdlets Remove-DistributionGroupMember -ObjectIds name | Export-Csv -Path C:\temp\MemberRemoved.csv -NoTypeInformation

Please note that The ObjectIds parameter filters the results by the object that was modified (the mailbox, public folder, Send connector, transport rule, accepted domain, etc. that the cmdlet operated on). A valid value depends on how the object is represented in the audit log. For example:

  • Name

  • Canonical distinguished name (for example, contoso.com/Users/Akia Al-Zuhairi)

  • Public folder identity (for example, \Engineering\Customer Discussion)

If the group is o365 group and was created within the last 90 days, we could use the commands below to check who created the group

 $groupname = "group@contoso.com"    
 $Group = Get-UnifiedGroup $groupname     
 $date = Get-Date -Date ($Group.WhenCreatedUTC).DateTime    
 Search-UnifiedAuditLog -StartDate $date.AddSeconds(-5) -EndDate $date.AddSeconds(5) -Operations 'Add Group' | Select-Object -Property UserIds

86668-qa-2021-04-12-14-47-07.png

For the operation saa/remove members in o365 group, try using this:

 Search-AdminAuditLog -Cmdlets Set-UnifiedGroup -ObjectIds xx


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
 


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaadKhan-MSFT avatar image
0 Votes"
SaadKhan-MSFT answered

You can only find who created DL's within 90 days as this is default period for which these logs are kept.
Search-AdminAuditLog -Cmdlets New-DistributionGroup | Export-Csv -Path C:\temp\DLCreators.csv -NoTypeInformation
Above will return the report in temp folder, you can find and check details.
PS - connect to EXO on PowerShell ISE before running above command.
https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexC-8264 avatar image
0 Votes"
AlexC-8264 answered

Hi GlennMaxwell,
in addition to SaadKahn's anwer, maybe you want to try Search-UnifiedAuditLog too:
https://docs.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps

Alex

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GlennMaxwell-2309 avatar image
0 Votes"
GlennMaxwell-2309 answered

will the below syntaxes work for Add/Remove Distributiongroup member.

Search-AdminAuditLog -Cmdlets Add-DistributionGroupMember -ObjectIds dl1@contoso.com | Export-Csv -Path C:\temp\MemberAdded.csv -NoTypeInformation
Search-AdminAuditLog -Cmdlets Remove-DistributionGroupMember -ObjectIds dl2@contoso.com | Export-Csv -Path C:\temp\MemberRemoved.csv -NoTypeInformation

for unified groups do i need to use the below syntax.
Search-UnifiedAuditLog | Export-Csv -Path C:\temp\DLCreators.csv -NoTypeInformation

for add/remove members to unified group what will be the syntax.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.