Audit logs in SharePoint Online provide insights into user activities, file modifications, site access, and permission changes. Using PnP PowerShell, administrators can efficiently extract and analyze audit logs for security monitoring, compliance, and troubleshooting.
Why export SharePoint audit logs?
- Monitor who accessed or modified files
- Track permission and sharing changes
- Identify security risks and anomalies
- Ensure compliance with IT policies
Prerequisites
Before running PowerShell commands:
Install PnP PowerShell (if not installed)
Install-Module -Name PnP.PowerShell -Force -AllowClobber
Connect to SharePoint Admin Center
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
Ensure proper permissions
- You must be a Global Administrator or SharePoint Admin
- Enable audit logging in Microsoft Purview Compliance Center
Step 1: Retrieve Audit Logs from SharePoint
To fetch audit logs, use:
$startDate = (Get-Date).AddDays(-30) # Last 30 days
$endDate = Get-Date
Get-PnPAuditLog -StartTime $startDate -EndTime $endDate -RecordType SharePoint | Format-Table
Fetches SharePoint audit logs for the last 30 days.
Step 2: Exporting Audit Logs to a CSV File
To generate a CSV report for analysis:
$startDate = (Get-Date).AddDays(-30)
$endDate = Get-Date
$logPath = "C:\SharePointAuditLogs.csv"
Get-PnPAuditLog -StartTime $startDate -EndTime $endDate -RecordType SharePoint | Select CreationDate, Operation, UserIds, ObjectId | Export-Csv -Path $logPath -NoTypeInformation
Saves audit logs including:
- Date of action
- Operation performed
- User who performed the action
- Affected object (file, site, list, etc.)
Step 3: Filtering Specific Audit Events
1️⃣ Fetching File Access Logs
To filter only file access activities:
Get-PnPAuditLog -StartTime $startDate -EndTime $endDate -RecordType SharePoint | Where-Object { $_.Operation -eq "FileAccessed" } | Format-Table
Retrieves logs for files that were accessed.
2️⃣ Tracking Permission Changes
To monitor permission modifications:
Get-PnPAuditLog -StartTime $startDate -EndTime $endDate -RecordType SharePoint | Where-Object { $_.Operation -match "Permission" } | Format-Table
Identifies who granted or removed permissions.
3️⃣ Detecting File Deletions
To find deleted files or folders:
Get-PnPAuditLog -StartTime $startDate -EndTime $endDate -RecordType SharePoint | Where-Object { $_.Operation -eq "FileDeleted" } | Format-Table
Helps track accidental or malicious deletions.
Step 4: Automating Audit Log Exports
You can schedule a PowerShell script to automatically generate reports:
$startDate = (Get-Date).AddDays(-7) # Last 7 days
$endDate = Get-Date
$logPath = "C:\AuditLogs\SharePointAuditLog_$(Get-Date -Format "yyyyMMdd").csv"
Get-PnPAuditLog -StartTime $startDate -EndTime $endDate -RecordType SharePoint | Select CreationDate, Operation, UserIds, ObjectId | Export-Csv -Path $logPath -NoTypeInformation
# Send log file via email
$body = "Hello, <br><br> Please find the SharePoint audit log report for the last 7 days attached. <br><br> Regards, <br> IT Security Team"
Send-MailMessage -To "security@yourcompany.com" -From "noreply@yourcompany.com" -Subject "SharePoint Audit Report" -Body $body -Attachments $logPath -SmtpServer "smtp.yourcompany.com"
Runs weekly and emails the audit report to security admins.
Step 5: Analyzing Logs in Power BI
To create a SharePoint Audit Dashboard in Power BI:
1️⃣ Open Power BI Desktop
2️⃣ Click Get Data > CSV and import SharePointAuditLogs.csv
3️⃣ Create visualizations for user activity, file modifications, and access trends
4️⃣ Set up scheduled refresh for automated updates
This helps IT teams monitor security incidents and compliance violations!
Step 6: Troubleshooting Issues
1️⃣ No Data in Logs?
Ensure audit logging is enabled in Microsoft Purview Compliance Center
Use Set-PnPTraceLog -On to check for errors
2️⃣ Connection Issues?
Run Update-Module PnP.PowerShell to get the latest version
Verify admin access to SharePoint