1. Introduction
Monitoring SharePoint Audit Logs is essential for tracking user activities, ensuring security, and maintaining compliance. PnP PowerShell provides an efficient way to:
Retrieve user activities (file modifications, access, deletions)
Monitor administrative changes
Identify suspicious behavior
Automate audit log reporting
This guide will walk you through the step-by-step process of using PnP PowerShell to monitor and manage SharePoint Audit Logs.
2. Prerequisites
Before retrieving audit logs, ensure:
✔ PnP PowerShell is installed
Install-Module -Name PnP.PowerShell -Scope CurrentUser -Force
✔ You have SharePoint Administrator or Global Administrator permissions
✔ Unified Audit Logging is enabled in Microsoft Purview Compliance Center
3. Understanding SharePoint Audit Logs
Audit Logs help track who did what, when, and where in SharePoint Online. Some key activities captured include:
| Action | Description |
|---|---|
| File Access | When a user views or downloads a file |
| File Modification | Changes made to files (edit, rename, move) |
| File Deletion | When a file is deleted |
| Permissions Changes | When site or document library permissions are modified |
| User Login Events | When a user logs in to SharePoint Online |
| Sharing Activities | When a file is shared internally or externally |
| Site Administration | Changes in site settings, creation, or deletion |
4. Connecting to SharePoint Online Using PnP PowerShell
To interact with SharePoint Online, first connect to your tenant:
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
✔ This prompts an authentication window to log in securely.
5. Enabling Audit Logging in SharePoint Online
Before retrieving audit logs, ensure audit logging is enabled in Microsoft 365 Compliance Center:
1️⃣ Sign in to Microsoft Purview Compliance Center.
2️⃣ Navigate to Audit > Audit Settings.
3️⃣ Enable Audit Log Search.
4️⃣ Choose the retention period (90 days for standard, up to 1 year for premium).
Now, audit logs are being captured and can be retrieved using PowerShell.
6. Retrieving SharePoint Audit Logs
Use the following PnP PowerShell command to fetch SharePoint audit logs:
A. Retrieve All SharePoint Audit Logs
$AuditLogs = Get-PnPAuditLog -SiteUrl "https://yourtenant.sharepoint.com/sites/YourSite"
$AuditLogs | Format-Table UserId, Event, ObjectId, EventDateUTC -AutoSize
✔ Displays audit logs including user actions, file access, and permission changes.
B. Retrieve Audit Logs for a Specific User
$UserEmail = "user@example.com"
$AuditLogs = Get-PnPAuditLog -SiteUrl "https://yourtenant.sharepoint.com/sites/YourSite" | Where-Object { $_.UserId -eq $UserEmail }
$AuditLogs | Format-Table Event, ObjectId, EventDateUTC -AutoSize
✔ Filters audit logs for a specific user.
C. Retrieve File Deletion Logs
$AuditLogs = Get-PnPAuditLog -SiteUrl "https://yourtenant.sharepoint.com/sites/YourSite" | Where-Object { $_.Event -eq "FileDeleted" }
$AuditLogs | Format-Table UserId, ObjectId, EventDateUTC -AutoSize
✔ Shows all file deletions with user details and timestamps.
7. Filtering and Exporting Audit Logs
To analyze logs efficiently, export them to CSV or Excel.
A. Export Audit Logs to CSV
$AuditLogs = Get-PnPAuditLog -SiteUrl "https://yourtenant.sharepoint.com/sites/YourSite"
$AuditLogs | Export-Csv -Path "C:\Reports\SharePointAuditLogs.csv" -NoTypeInformation
Write-Host "Audit logs exported successfully!"
✔ Saves audit logs for further analysis.
B. Retrieve and Export Permissions Change Logs
$AuditLogs = Get-PnPAuditLog -SiteUrl "https://yourtenant.sharepoint.com/sites/YourSite" | Where-Object { $_.Event -eq "RoleModified" }
$AuditLogs | Export-Csv -Path "C:\Reports\PermissionsChanges.csv" -NoTypeInformation
Write-Host "Permissions changes report generated."
✔ Exports logs of permissions modifications.
8. Automating SharePoint Audit Log Monitoring
To automate audit log collection, create a scheduled PowerShell script.
A. Save the Script
# Connect to SharePoint
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
# Get audit logs
$AuditLogs = Get-PnPAuditLog -SiteUrl "https://yourtenant.sharepoint.com/sites/YourSite"
# Export logs
$AuditLogs | Export-Csv -Path "C:\Reports\DailyAuditLogs.csv" -NoTypeInformation
Write-Host "Daily SharePoint audit logs collected successfully!"
B. Schedule the Script
1️⃣ Open Task Scheduler
2️⃣ Click Create Basic Task
3️⃣ Set Trigger to Daily at 12:00 AM
4️⃣ Set Action to Start a Program
5️⃣ Enter powershell.exe in Program/Script
6️⃣ In Add Arguments, enter:
-File "C:\Scripts\AuditLogMonitor.ps1"
7️⃣ Click Finish to enable automation
✔ Now, the script automatically collects audit logs daily!