How to bypass Office 365’s 90-day log limit
When responding to an O365(office 365) data breach, depending on how quickly the breach was discovered, you may need to go further back than the 90 days that are allowed by default. Usually, you need an E5 or similar license (as of 2021) to be able to access these from the Security and Compliance center web interface. However, there is a way around this with PowerShell.
Technical Challenges
The main cmdlet we will be using is “Search-UnifiedAuditLog”. There are some limitations regarding 5000 records at a time which is a problem when you need to pull months` worth of logs. What we can do to solve this is to download the logs one hour at a time.
The code below will connect to O365 and download the logs to a CSV file. Note that the variable $intDays is the number of days back you’d like to download. The code by default works backwards from your current date.
| # Get your O365 creds $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session -DisableNameChecking# Output file $OutputFile = “.\UnifiedAuditLog_FULL1.csv” # Get Todays Date # If you want to set a date # Set how many days back you want to go # Download logs |
|---|
Keep in mind this is only a sample piece of code and you may need to make changes based on your use case.