Search Unified Audit Log

Audit Stream Activities

When required to audit the creation of Teams meetings or live events videos, the activity of such events is logged to the Office 365 audit logs aka unified audit logs.

The following Powershell command, reliant upon the Exchange Online Powershell module, will search the audit logs over the last 90 days and output the relevant entries from the audit log:

ipmo exchangeonlinemanagement

connect-exchangeonline
$Logs = Search-UnifiedAuditLog -RecordType MicrosoftStream  -StartDate ((Get-date).AddDays(-90)) -EndDate (get-date) -Resultsize 5000




on No comments:
Labels: ,

Sway reporting in Powershell

Measure Sway usage in Office 365


This procedure will allow you to extract the number of users who have accessed Sway within Office 365 in the last thirty days. Perfect for keeping the Business Transformation manager  happy.


$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri '
https://ps.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession -Session $Session -AllowClobber
$logs = Search-UnifiedAuditLog -RecordType Sway -StartDate ((get-date).AddDays(-30)) -EndDate (get-date) -ResultSize 5000 $logs.userids|sort -Unique|measure
on No comments:

Investigate License errors in Office 365

Investigate License errors in Office 365

An important part of any administrators job is the routine investigation of any errors encountered in the Office 365 environment. This short article will describe how to identify if there are any licensing errors in your Office 365 tenancy.
This assumes you already use dynamic groups for assigning Office 365 product licenses as per this Microsoft webpage: 


Report on all users who have a license error attached to their MSOL identity

1. Install the MSOnline powershell module

install-module MSOnline
2. Connect to MSOnline powershell

connect-msservice
3. Assign all users to a variable 
$allusers = get-msoluser -all

4. Filter all users with a licensing error into a separate variable
$errorusers = $allusers|where{$_.IndirectLicenseErrors -ne $null}

This will give you a list of all accounts that have a license error attached to them and each instance will require investigation.
on No comments:

Identify suspended Office 365 licensed users

Identify suspended 365 licensed users

This command will identify if there are any users with suspended Office 365 licenses in your tenancy.
There is a requirement of the MSOnline powershell commandlets to be able to access this information.

Get-MsolSubscription|where{$_.status -eq "Suspended"}|fl skupartnumber,ObjectId


on No comments:

Report on Sway usage in Office 365

Report on Sway usage in Office 365


When asked to create a report of Sway usage for a group of users within Office 365, there is no dedicated Sway admin portal so we need some Powershell commands and some audit report data to achieve this.

  1. Access https://protection.office.com
  2. Sign in using your work or school account.
  3. In the left pane of the Security & Compliance Center, click Search, and then click Audit log search.
    The Audit log search page is displayed.
  4. Configure your search criteria as 'Viewed Sway'
  5. Enter the start and finish dates of your search window
  6. Click Search to begin the audit log search process
  7. When the search is completed, the results will be displayed in the browser. We need to export these to CSV by clicking the Export Results drop down list.
  8. Open the CSV file in Excel and highlight the data in the users column and copy this to the clipboard.
  9. Open Powershell ISE and issue the following commands:

$users = get-clipboard
$users|where{$_ -like "user@domain.gov.uk"}|sort -unique

This will return a list of users from a particular domain who have accessed Sway 
on No comments:
Subscribe to: Posts (Atom)