Merge pull request #660 from reshmee011/main

cli for m365 version of the same sample for audit log using the office 365 activity feed
pnp · Feb 12, 2024 · 22a9ed8 · 22a9ed8
2 parents 9dd69e9 + 9499463
commit 22a9ed8
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 7 deletions.
diff --git a/scripts/m365-get-unifiedlog-spo-dlp-exchange-entra/README.md b/scripts/m365-get-unifiedlog-spo-dlp-exchange-entra/README.md
@@ -37,14 +37,14 @@ $logCollection = @()
 while($days -ge $endDay){
 if($days -eq 0)
 {
- $activities =  Get-PnPUnifiedAuditLog -ContentType SharePoint -ErrorAction Ignore
+ $activities +=  Get-PnPUnifiedAuditLog -ContentType SharePoint -ErrorAction Ignore
  $activities +=  Get-PnPUnifiedAuditLog -ContentType AzureActiveDirectory -ErrorAction Ignore
  $activities +=  Get-PnPUnifiedAuditLog -ContentType DLP -ErrorAction Ignore
  $activities +=  Get-PnPUnifiedAuditLog -ContentType Exchange -ErrorAction Ignore
  $activities +=  Get-PnPUnifiedAuditLog -ContentType General -ErrorAction Ignore
  
 }else {
-    $activities = Get-PnPUnifiedAuditLog -ContentType AzureActiveDirectory -ErrorAction Ignore  -StartTime (Get-date).adddays(-$days) -EndTime (Get-date).adddays(-($days-1))
+    $activities += Get-PnPUnifiedAuditLog -ContentType AzureActiveDirectory -ErrorAction Ignore  -StartTime (Get-date).adddays(-$days) -EndTime (Get-date).adddays(-($days-1))
     $activities += Get-PnPUnifiedAuditLog -ContentType SharePoint -ErrorAction Ignore  -StartTime (Get-date).adddays(-$days) -EndTime (Get-date).adddays(-($days-1))
     $activities += Get-PnPUnifiedAuditLog -ContentType DLP -ErrorAction Ignore  -StartTime (Get-date).adddays(-$days) -EndTime (Get-date).adddays(-($days-1))
     $activities += Get-PnPUnifiedAuditLog -ContentType Exchange -ErrorAction Ignore  -StartTime (Get-date).adddays(-$days) -EndTime (Get-date).adddays(-($days-1))
@@ -66,16 +66,73 @@ if($days -eq 0)
 $logCollection | sort-object "Operation" |Export-CSV $OutPutView -Force -NoTypeInformation
 ```
 
+[!INCLUDE [More about PnP PowerShell](../../docfx/includes/MORE-PNPPS.md)]
+
+# [CLI for Microsoft 365](#tab/cli-m365-ps)
+
+
+```PowerShell
+$SiteUrl = "https://contoso.sharepoint.com/sites/test"
+$userId = "[email protected]" 
+Write-Host "Ensure logged in"
+$m365Status = m365 status --output text
+if ($m365Status -eq "Logged Out") {
+  Write-Host "Logging in the User!"
+  m365 login --authType browser
+}
+$days = 3
+$endDay = 0
+$Operations = @()
+ 
+# Generate a unique log file name using today's date
+$dateTime = (Get-Date).toString("dd-MM-yyyy_HHmm")
+$invocation = (Get-Variable MyInvocation).Value
+$directorypath = Split-Path $invocation.MyCommand.Path
+$fileName = "logReport-" + $dateTime + ".csv"
+$OutPutView = $directorypath + "\Logs\"+ $fileName
+ 
+$logCollection = @()
+while($days -ge $endDay){
+if($days -eq 0)
+{
+    $activities +=  m365 purview auditlog list --contentType SharePoint --output 'json' | ConvertFrom-Json
+    $activities +=  m365 purview auditlog list --contentType AzureActiveDirectory --output 'json' | ConvertFrom-Json
+    $activities +=  m365 purview auditlog list --contentType DLP --output 'json' | ConvertFrom-Json
+    $activities +=  m365 purview auditlog list --contentType Exchange --output 'json' | ConvertFrom-Json
+    $activities +=  m365 purview auditlog list --contentType General --output 'json' | ConvertFrom-Json
+ 
+}else {
+   $activities += m365 purview auditlog list --contentType SharePoint --startTime ((Get-date).adddays(-$days) | Get-Date -uFormat '%Y-%m-%d') --endTime ((Get-date).adddays(-($days-1)) | Get-Date -uFormat '%Y-%m-%d') --output 'json' | ConvertFrom-Json
+   $activities += m365 purview auditlog list --contentType AzureActiveDirectory --startTime ((Get-date).adddays(-$days) | Get-Date -uFormat '%Y-%m-%d') --endTime ((Get-date).adddays(-($days-1)) | Get-Date -uFormat '%Y-%m-%d') --output 'json'| ConvertFrom-Json
+   $activities += m365 purview auditlog list --contentType DLP --startTime ((Get-date).adddays(-$days) | Get-Date -uFormat '%Y-%m-%d') --endTime ((Get-date).adddays(-($days-1)) | Get-Date -uFormat '%Y-%m-%d') --output 'json' | ConvertFrom-Json
+   $activities += m365 purview auditlog list --contentType Exchange --startTime ((Get-date).adddays(-$days) | Get-Date -uFormat '%Y-%m-%d') --endTime ((Get-date).adddays(-($days-1)) | Get-Date -uFormat '%Y-%m-%d') --output 'json' | ConvertFrom-Json
+   $activities += m365 purview auditlog list --contentType General --startTime ((Get-date).adddays(-$days) | Get-Date -uFormat '%Y-%m-%d') --endTime ((Get-date).adddays(-($days-1)) | Get-Date -uFormat '%Y-%m-%d') --output 'json' | ConvertFrom-Json
+ }
+ 
+if($activity.SiteUrl ){#-and $activity.SiteUrl
+   if($activity.SiteUrl.ToLower() -eq $SiteUrl)    #-$activity.UserId.ToLower() -eq $userId
+ {  
+    $logCollection += $activity
+ }
+}
+$days = $days - 1
+}
+$activities | sort-object "Operation" |Export-CSV $OutPutView -Force -NoTypeInformation
+ ```
+
+[!INCLUDE [More about CLI for Microsoft 365](../../docfx/includes/MORE-CLIM365.md)]
+
 > [!Note]
-> SharePoint admin rights are required to run the script
+> SharePoint admin rights are required to run the script ,
 
-[!INCLUDE [More about PnP PowerShell](../../docfx/includes/MORE-PNPPS.md)]
+> [!Note]
+> You may encounter error Error: The permission set (ActivityFeed.Read ServiceHealth.Read) sent in the request does not include the expected permission with contentType DLP and be mindful of the amount of data returned from a large tenant which may cause memory issues or lack of disk space to save the log file.
 
 ***
 
 ## Source Credit
 
-Sample first appeared on [Unveiling Audit Logs with PnP PowerShell](https://reshmeeauckloo.com/posts/powershell-get-log-sharepoint-dlp-exchange-entra-pnpunifiedlog/)
+Sample first appeared on [Unveiling Audit Logs with PnP and Cli for M365 PowerShell](https://reshmeeauckloo.com/posts/powershell-get-log-sharepoint-dlp-exchange-entra-pnpunifiedlog/)
 
 ## Contributors
 

diff --git a/scripts/m365-get-unifiedlog-spo-dlp-exchange-entra/assets/sample.json b/scripts/m365-get-unifiedlog-spo-dlp-exchange-entra/assets/sample.json
@@ -9,7 +9,7 @@
       "Audit Logs offer a wealth of information, and in this script focus on leveraging the Office 365 Management Activity API reference. It is a great alternative if you are only a SharePoint Administrator with no global admin or Purview Audit logs access."
     ],
     "creationDateTime": "2024-01-27",
-    "updateDateTime": "2024-01-27",
+    "updateDateTime": "2024-02-10",
     "products": [
       "SharePoint",
       "DLP",
@@ -20,6 +20,10 @@
       {
         "key": "PNP-POWERSHELL",
         "value": "2.2.0"
+      },
+      {
+        "key": "CLI-FOR-MICROSOFT365",
+        "value": "5.4.0"
       }
     ],
     "categories": [
@@ -30,7 +34,9 @@
       "modern",
       "Connect-PnPOnline",
       "Get-PnPTenantSite",
-      "Get-PnPUnifiedAuditLog"
+      "Get-PnPUnifiedAuditLog",
+      "m365 purview auditlog list",
+      "m365 login"
     ],
     "thumbnails": [
       {
@@ -53,6 +59,11 @@
         "name": "Want to learn more about PnP PowerShell and the cmdlets",
         "description": "Check out the PnP PowerShell site to get started and for the reference to the cmdlets.",
         "url": "https://aka.ms/pnp/powershell"
+      },
+      {
+        "name": "Want to learn more about CLI for Microsoft 365 and the commands",
+        "description": "Check out the CLI for Microsoft 365 site to get started and for the reference to the commands.",
+        "url": "https://aka.ms/cli-m365"
       }
     ]
   }