TenLens
Back to script library
Entra / Microsoft 365 · Compliance & audit

Find Send and Search audit records

Search the unified audit log for Send, SharePoint search, and Exchange search operations, as used in Office 365 for IT Pros Chapter 21 examples.

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-ExchangeOnline

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

param(
    [int] $LookbackDays = 90,
    [string] $StartDate = (Get-Date).AddDays(-$LookbackDays); $EndDate = (Get-Date),
    [string] $EndDate = (Get-Date)
)
 
$Records = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -ResultSize 5000 -Operations Send
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file
If ($Records.count -gt 0) {
   ForEach ($Rec in $Records) {
      $AuditData = ConvertFrom-Json $Rec.AuditData
      $ReportLine = [PSCustomObject] @{
        TimeStamp   = Get-Date($AuditData.CreationTime) -format g
        User        = $AuditData.MailboxOwnerUPN
        Operation   = $AuditData.Operation
        Subject     = $AuditData.Item.Subject
        MessageId   = $AuditData.Item.InternetMessageId }
     $Report.Add($ReportLine) }
} # End if
 
$Operations = "SearchQueryInitiatedSharePoint", "SearchQueryInitiatedExchange"
$Records = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -ResultSize 5000 -Operations $Operations
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file
If ($Records.count -gt 0) {
   ForEach ($Rec in $Records) {
      $AuditData = ConvertFrom-Json $Rec.AuditData
     Switch ($AuditData.Operation) {
      "SearchQueryInitiatedSharePoint" { # SharePoint search
       $ReportLine = [PSCustomObject] @{
         TimeStamp   = Get-Date($AuditData.CreationTime) -format g
         User        = $AuditData.UserId
         Client      = $AuditData.QuerySource
         Search      = $AuditData.QueryText
         Scenario    = $AuditData.ScenarioName }
       $Report.Add($ReportLine) }
      "SearchQueryInitiatedExchange" { # Exchange search event
        $ReportLine = [PSCustomObject] @{
         TimeStamp   = Get-Date($AuditData.CreationTime) -format g
         User        = $AuditData.UserId
         Client      = $AuditData.QuerySource
         Search      = $AuditData.QueryText
         Scenario    = $AuditData.ScenarioName }
       $Report.Add($ReportLine) }
    } # End Switch
   } # End For
} # End if
 
$Report | Format-Table TimeStamp, Client, Search, User

Parameters

ParameterDefaultNotes
-LookbackDays90Number of days back to search unified audit log records.
-StartDate(Get-Date).AddDays(-90)Start of the audit log search window.
-EndDate(Get-Date)End of the audit log search window.
Attribution
Author
Office365itpros
Related scripts
Entra / Microsoft 365 · Exchange Online

Add contacts to mailboxes

Copies organizational contacts from a SharePoint list into Exchange user mailboxes for newly licensed users, using app-only Microsoft Graph permissions.

Entra / Microsoft 365 · Applications

Add owners to apps

Finds Entra ID app registrations without owners and assigns the last modifier or creator as owner, using unified audit log records to identify who last managed each app.

Entra / Microsoft 365 · Teams

Add Teams to group expiration policy

Adds Microsoft Teams whose backing groups are not yet covered by the Microsoft 365 group expiration policy.