Export O365 Auditlog

o365_auditlog_export.ps1

$UserCredential = Get-Credential

$ProxyOptions = New-PSSessionOption -ProxyAccessType "IEConfig"

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

$scriptStart=(get-date)
$sessionName = "auditlog"

$results = @()
$i = 0 # Loop counter
Do { 
	$currentResults = Search-UnifiedAuditLog -StartDate 08/01/2018 -EndDate 08/30/2018 -UserIds "userA,userB,userC" -SessionId $sessionName -SessionCommand ReturnLargeSet -ResultSize 5000
	if ($currentResults.Count -gt 0) {
		Write-Host (" Finished {3} search #{1}, {2} records: {0} min" -f [math]::Round((New-TimeSpan -Start $scriptStart).TotalMinutes,4), $i, $currentResults.Count, $user.UserPrincipalName)
		$results += $currentResults
		if ($currentResults.Count -lt 5000) {
			$currentResults = @()
		} else {
			$i++
		}
	}
} Until ($currentResults.Count -eq 0)

Foreach ($log in $results) {
    $data = (ConvertFrom-Json $log.AuditData)
    $output = $log.CreationDate.ToString() + "," + $log.UserIds + "," + $log.RecordType + "," + $log.Operations + "," + $data.ClientIP + "," + $data.ObjectId
    
    Add-Content -path C:\Temp\auditlog.csv $output -Encoding String
}

Remove-PSSession $Session

• https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-audit/search-unifiedauditlog?view=exchange-ps
• https://docs.microsoft.com/ja-jp/office365/securitycompliance/search-the-audit-log-in-security-and-compliance