Microsoft 365 – Exchange Online : resolving error – Search-UnifiedAuditLog : The term ‘Search-UnifiedAuditLog’ is not recognized as the name of a cmdlet, function, script file, or operable program – permission issue
Greetings for the day !!!
Today new issue and solution !!!
Details / Background
- We are writing PowerShell script to fetch the audit logs
- We are using “Search-UnifiedAuditLog” CMDLET for fetching the respective audit logs based on parameters
Search-UnifiedAuditLog -EndDate <ExDateTime> -StartDate <ExDateTime> [-Formatted] [-FreeText <String>] [-IPAddresses <String>] [-ObjectIds <String>] [-Operations <String>] [-RecordType <AuditRecordType>] [-ResultSize <Int32>] [-SessionCommand <UnifiedAuditSessionCommand>] [-SessionId <String>] [-SiteIds <String>] [-UserIds <String>] [<CommonParameters>]
- We have latest version of “ExchangeOnlineManagement” module is installed
- In PowerShell script we could successfully import “ExchangeOnlineManagement“
- We could successfully connect with Exchange Online using CMDLET – Connect-ExchangeOnline with the account which we are using
- But still we have an error
Issue / Error
Search-UnifiedAuditLog : The term ‘Search-UnifiedAuditLog’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify
that the path is correct and try again.
At line:1 char:1
- CategoryInfo : ObjectNotFound: (Search-UnifiedAuditLog:String) , CommandNotFoundException
- FullyQualifiedErrorId : CommandNotFoundException
Solution / Cause of an error
- As mentioned above as well we have latest version of “ExchangeOnlineManagement” module is installed and we could successfully import “ExchangeOnlineManagement“
- Then this was the permission issue – account which we are using to execute the cmdlet – “Search-UnifiedAuditLog” don’t have permissions
- With the help of Global Admin account we can find the permissions required to execute this CMDLET using Get-ManagementRole as
PS C:\> Get-ManagementRole -Cmdlet Search-UnifiedAuditLog Name RoleType ---- -------- Audit Logs AuditLogs View-Only Audit Logs ViewOnlyAuditLogs PS C:\>
- This means to fetch the audit logs (executing – “Search-UnifiedAuditLog“) our user should be part of group which has role assigned either “Audit Logs” OR “View-Only Audit Logs”
- To grant the user required permissions, we need to add user into a role group which contains “Audit Logs” or “View-Only Audit Logs” such as “View-Only Organization Management”
- We could add user to respective role group either by using PowerShell or Exchange Online admin center
Add user to respective Exchange role group using PowerShell
Add-RoleGroupMember <Role Group Name> -Member <User> Add-RoleGroupMember "View-Only Organization Management" -Member "email@example.com"
Add user to respective Exchange role group from Exchange online admin center
- Navigate to Exchange admin center – either through M365 admin center – https://admin.microsoft.com/#/homepage or directly through Exchange admin center URL – https://admin.exchange.microsoft.com/
- From left blade, navigate to Roles >> Admin roles
- Find the Role Group in which we need to add user
- As shown in below fig, in middle tab “Assigned“, click on “+Add” link to add the user
- Search the user which we need to add
- Once user have respective permissions, he/she will be able to successfully execute the command
Thanks for reading!!! Please feel free to discuss in case any questions / suggestions / thoughts !!!
HAVE A GREAT TIME AHEAD !!! LIFE IS BEAUTIFUL 🙂