Latest Posts

Generating SharePoint Online Access Logs using PnP PowerShell

Posted on by Rishan Solutions

Loading

Monitoring SharePoint Online access logs is crucial for security, auditing, and compliance. Using PnP PowerShell, we can:
Extract user activity logs (who accessed what and when)
Monitor file and site access
Generate reports for security audits
Detect unauthorized access

Step 1: Connect to SharePoint Online

Before retrieving logs, connect to your SharePoint tenant using PnP PowerShell:

$adminUrl = "https://yourtenant-admin.sharepoint.com"
Connect-PnPOnline -Url $adminUrl -Interactive
Write-Host "✅ Connected to SharePoint Online"

✔ Ensures secure authentication for accessing audit logs.

Step 2: Retrieve SharePoint Online Access Logs

To fetch user access logs, use the Unified Audit Log API:

StartDate = (Get-Date).AddDays(-7).ToString("yyyy-MM-dd")
EndDate = (Get-Date).ToString("yyyy-MM-dd")

$logs = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -RecordType SharePointFileOperation -ResultSize 1000

$logs | Select-Object CreationDate, UserIds, Operations, ObjectId | Format-Table -AutoSize

✔ Retrieves last 7 days of SharePoint file operations logs.

Step 3: Export Logs to CSV

To analyze logs later, export them to a CSV file:

$logs | Select-Object CreationDate, UserIds, Operations, ObjectId | Export-Csv -Path "AccessLogs.csv" -NoTypeInformation
Write-Host " Access logs exported to AccessLogs.csv"

✔ Generates a detailed access report.

Step 4: Filter Logs for Specific Users

To track activity of a specific user, filter by their email:

$userEmail = "user@yourtenant.com"

$userLogs = $logs | Where-Object { $_.UserIds -match $userEmail }
$userLogs | Select-Object CreationDate, Operations, ObjectId | Format-Table -AutoSize

Write-Host " Displaying logs for: $userEmail"

✔ Helps audit individual user activity.

Step 5: Detect Unauthorized Access Attempts

To identify potential security threats, filter for suspicious operations:

$suspiciousLogs = $logs | Where-Object { $_.Operations -match "AccessDenied" }

if ($suspiciousLogs) {
    Write-Host " Unauthorized access detected:"
    $suspiciousLogs | Select-Object CreationDate, UserIds, ObjectId | Format-Table -AutoSize
} else {
    Write-Host " No unauthorized access detected."
}

✔ Detects failed access attempts.

Step 6: Automate Log Collection and Reporting

To automate log generation, schedule a PowerShell script:

$taskName = "SharePoint Access Logs Automation"
$scriptPath = "C:\Scripts\AccessLogs.ps1"

$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File $scriptPath"
$trigger = New-ScheduledTaskTrigger -Daily -At 12AM
Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -User "SYSTEM" -RunLevel Highest

Write-Host " Scheduled automated SharePoint access log collection."

✔ Ensures continuous monitoring.

Step 7: Visualize Access Logs in Power BI

To analyze logs in Power BI, create a live data connection:
1️⃣ Open Power BI Desktop
2️⃣ Click Get Data → CSV
3️⃣ Select AccessLogs.csv
4️⃣ Build visual reports with user activity trends

✔ Helps in better log analysis and security audits.

Leave a Reply

Your email address will not be published. Required fields are marked *