O365Troubleshooters

2.0.0.6

ActionPlans/Start-AzureADAuditSignInLogSearch.ps1

                                Function Search-AzureAdSignInAudit {

    param( 

        [int][Parameter(Mandatory=$true)] $DaysToSearch,

        [string[]][Parameter(Mandatory=$false)] $CmdletsToSearch,

        [string][Parameter(Mandatory=$false)] $Upn)

        $DaysToSearch=10

        $Upn ="admin@vilega.onmicrosoft.com"

        Get-AzureADAuditSignInLogs -Filter "userPrincipalName eq $Upn"

        if (!([string]::IsNullOrEmpty($userIds)))

        {

            $UnifiedAuditLogs =Search-UnifiedAuditLog -StartDate (Get-Date).addDays(-$DaysToSearch) -EndDate (Get-Date) -Operations $OperationsToSearch -UserIds $userIds -SessionCommand ReturnLargeSet 

        }

        else

        {

            $UnifiedAuditLogs =Search-UnifiedAuditLog -StartDate (Get-Date).addDays(-$DaysToSearch) -EndDate (Get-Date) -Operations $OperationsToSearch  -SessionCommand ReturnLargeSet 

        }

        return AzureAdSignInAudit

}

$Workloads = "AzureADPreview"

Connect-O365PS $Workloads

$CurrentProperty = "Connecting to: $Workloads"

$CurrentDescription = "Success"

write-log -Function "Connecting to O365 workloads" -Step $CurrentProperty -Description $CurrentDescription 

$ts= get-date -Format yyyyMMdd_HHmmss

$ExportPath = "$global:WSPath\ExchangeOnlineAudit_$ts"

mkdir $ExportPath -Force

do

{

    Write-Host "Please imput the number of days you want to search (maximum 90): " -ForegroundColor Cyan -NoNewline

    [int]$DaysToSearch= Read-Host

} while ($DaysToSearch -gt 90)

Write-Host "Please imput cmdlets to search separated by comma (or just hit [Enter] to look for all cmdles): " -ForegroundColor Cyan -NoNewline

$CmdletsToSearch = Read-Host

Write-Host "Please imput the UPN for the user you want to search actions (or just hit [Enter] to look for all users): " -ForegroundColor Cyan -NoNewline

$Caller = Read-Host

$AuditLogs = Search-EXOAdminAudit -DaysToSearch $DaysToSearch -CmdletsToSearch  $CmdletsToSearch -Caller $Caller

$AuditLogs | Export-Csv "$ExportPath\ExchangeOnlineAudit_$ts.csv"

Write-Host "Exchange Online audit logs have been exported to: $ExportPath\ExchangeOnlineAudit_$ts.csv"

Read-Key

# Return to the main menu

Clear-Host

Start-O365TroubleshootersMenu

$MFAExchangeModule = ((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter CreateExoPSSession.ps1 -Recurse ).FullName | Select-Object -Last 1)

. "$MFAExchangeModule" |Out-Null

Connect-EXOPSSession -userprincipalname "admin@vilega.onmicrosoft.com"

Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA + "\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse).FullName |`

where { $_ -notmatch "_none_" } | select -First 1)

$EXOSession = New-ExoPSSession -UserPrincipalName $UPN

Import-PSSession $EXOSession -AllowClobber |out-null