SMSAgentSoftware/New-MEMAdminAuditReport.ps1

## New-MEMAdminAuditReport.ps1
# Script to send a daily audit report for admin activities in MEM/Intune
# Requirements:
#   - Log Analytics Workspace
#   - Intune Audit Logs saved to workspace
#   - Service Principal with 'Log Analytics reader' role in workspace
#   - Azure Az PowerShell modules

# Azure resource info
$ApplicationId = "abc73938-0000-0000-0000-9b01316a9123" # Service Principal Application Id
$Secret = "489j49r-0000-0000-0000-e2dc6451123" # Service Principal Secret
$TenantID = "abc894e7-00000-0000-0000-320d0334b123" # Tenant ID
$LAWorkspaceID = "abcc1e47-0000-0000-0000-b7ce2b2bb123" # Log Analytics Workspace ID
$Timespan = (New-TimeSpan -Hours 24)

# Email params
$EmailParams = @{
    To         = 'trevor.jones@smsagent.blog'
    From       = 'MEMReporting@smsagent.blog'
    Smtpserver = 'smsagent.mail.protection.outlook.com'
    Port       = 25
    Subject    = "MEM Audit Report  |  $(Get-Date -Format dd-MMM-yyyy)"
}

# Html CSS style
$Style = @"
<style>
table {
    border-collapse: collapse;
    font-family: sans-serif
    font-size: 12px
}
td, th {
    border: 1px solid #ddd;
    padding: 6px;
}
th {
    padding-top: 8px;
    padding-bottom: 8px;
    text-align: left;
    background-color: #3700B3;
    color: #03DAC6
}
</style>
"@

# Connect to Azure with Service Principal
$Creds = [PSCredential]::new($ApplicationId,(ConvertTo-SecureString $Secret -AsPlaintext -Force))
Connect-AzAccount -ServicePrincipal -Credential $Creds -Tenant $TenantID

# Run the Log Analytics Query
$Query = "IntuneAuditLogs | sort by TimeGenerated desc"
$Results = Invoke-AzOperationalInsightsQuery -WorkspaceId $LAWorkspaceID -Query $Query -Timespan $Timespan
$ResultsArray = [System.Linq.Enumerable]::ToArray($Results.Results)

# Converts the results to a datatable
$DataTable = New-Object System.Data.DataTable
$Columns = @("Date","Initiated by (actor)","Application Name","Activity","Operation Status","Target Name","Target ObjectID")
foreach ($Column in $Columns)
{
    [void]$DataTable.Columns.Add($Column)
}
foreach ($result in $ResultsArray)
{
    $Properties = $Result.Properties | ConvertFrom-Json
    [void]$DataTable.Rows.Add(
        $Properties.ActivityDate,
        $result.Identity,
        $Properties.Actor.ApplicationName,
        $result.OperationName,
        $result.ResultType,
        $Properties.TargetDisplayNames[0],
        $Properties.TargetObjectIDs[0]
    )
}

# Send an email
If ($DataTable.Rows.Count -ge 1)
{
    $HTML = $Datatable |
                ConvertTo-Html -Property "Date","Initiated by (actor)","Application Name","Activity","Operation Status","Target Name","Target ObjectID" -Head $Style -Body "<h2>MEM Admin Activities in the last 24 hours</h2>" |
                Out-String
    Send-MailMessage @EmailParams -Body $html -BodyAsHtml
}
	# Script to send a daily audit report for admin activities in MEM/Intune
	# Requirements:
	# - Log Analytics Workspace
	# - Intune Audit Logs saved to workspace
	# - Service Principal with 'Log Analytics reader' role in workspace
	# - Azure Az PowerShell modules

	# Azure resource info
	$ApplicationId = "abc73938-0000-0000-0000-9b01316a9123" # Service Principal Application Id
	$Secret = "489j49r-0000-0000-0000-e2dc6451123" # Service Principal Secret
	$TenantID = "abc894e7-00000-0000-0000-320d0334b123" # Tenant ID
	$LAWorkspaceID = "abcc1e47-0000-0000-0000-b7ce2b2bb123" # Log Analytics Workspace ID
	$Timespan = (New-TimeSpan -Hours 24)

	# Email params
	$EmailParams = @{
	To = 'trevor.jones@smsagent.blog'
	From = 'MEMReporting@smsagent.blog'
	Smtpserver = 'smsagent.mail.protection.outlook.com'
	Port = 25
	Subject = "MEM Audit Report \| $(Get-Date -Format dd-MMM-yyyy)"
	}

	# Html CSS style
	$Style = @"
	<style>
	table {
	border-collapse: collapse;
	font-family: sans-serif
	font-size: 12px
	}
	td, th {
	border: 1px solid #ddd;
	padding: 6px;
	}
	th {
	padding-top: 8px;
	padding-bottom: 8px;
	text-align: left;
	background-color: #3700B3;
	color: #03DAC6
	}
	</style>
	"@

	# Connect to Azure with Service Principal
	$Creds = [PSCredential]::new($ApplicationId,(ConvertTo-SecureString $Secret -AsPlaintext -Force))
	Connect-AzAccount -ServicePrincipal -Credential $Creds -Tenant $TenantID

	# Run the Log Analytics Query
	$Query = "IntuneAuditLogs \| sort by TimeGenerated desc"
	$Results = Invoke-AzOperationalInsightsQuery -WorkspaceId $LAWorkspaceID -Query $Query -Timespan $Timespan
	$ResultsArray = [System.Linq.Enumerable]::ToArray($Results.Results)

	# Converts the results to a datatable
	$DataTable = New-Object System.Data.DataTable
	$Columns = @("Date","Initiated by (actor)","Application Name","Activity","Operation Status","Target Name","Target ObjectID")
	foreach ($Column in $Columns)
	{
	[void]$DataTable.Columns.Add($Column)
	}
	foreach ($result in $ResultsArray)
	{
	$Properties = $Result.Properties \| ConvertFrom-Json
	[void]$DataTable.Rows.Add(
	$Properties.ActivityDate,
	$result.Identity,
	$Properties.Actor.ApplicationName,
	$result.OperationName,
	$result.ResultType,
	$Properties.TargetDisplayNames[0],
	$Properties.TargetObjectIDs[0]
	)
	}

	# Send an email
	If ($DataTable.Rows.Count -ge 1)
	{
	$HTML = $Datatable \|
	ConvertTo-Html -Property "Date","Initiated by (actor)","Application Name","Activity","Operation Status","Target Name","Target ObjectID" -Head $Style -Body "<h2>MEM Admin Activities in the last 24 hours</h2>" \|
	Out-String
	Send-MailMessage @EmailParams -Body $html -BodyAsHtml
	}