Hi All,

Greetings for the day !!!

Today new issue and solution !!!

Details / Background

• We are writing PowerShell script to fetch the audit logs
• We are using “Search-UnifiedAuditLog” CMDLET for fetching the respective audit logs based on parameters

Search-UnifiedAuditLog
      -EndDate <ExDateTime>
      -StartDate <ExDateTime>
      [-Formatted]
      [-FreeText <String>]
      [-IPAddresses <String[]>]
      [-ObjectIds <String[]>]
      [-Operations <String[]>]
      [-RecordType <AuditRecordType>]
      [-ResultSize <Int32>]
      [-SessionCommand <UnifiedAuditSessionCommand>]
      [-SessionId <String>]
      [-SiteIds <String[]>]
      [-UserIds <String[]>]
      [<CommonParameters>]

• We have latest version of “ExchangeOnlineManagement” module is installed
• In PowerShell script we could successfully import “ExchangeOnlineManagement“
• We could successfully connect with Exchange Online using CMDLET – Connect-ExchangeOnline with the account which we are using
• But still we have an error

Issue / Error

Search-UnifiedAuditLog : The term ‘Search-UnifiedAuditLog’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify
that the path is correct and try again.
At line:1 char:1

• Search-UnifiedAuditLog
• ~~~~~~
  • CategoryInfo : ObjectNotFound: (Search-UnifiedAuditLog:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

Solution / Cause of an error

• As mentioned above as well we have latest version of “ExchangeOnlineManagement” module is installed and we could successfully import “ExchangeOnlineManagement“
• Then this was the permission issue – account which we are using to execute the cmdlet – “Search-UnifiedAuditLog” don’t have permissions
• With the help of Global Admin account we can find the permissions required to execute this CMDLET using Get-ManagementRole as

PS C:\> Get-ManagementRole -Cmdlet Search-UnifiedAuditLog

Name                 RoleType         
----                 --------         
Audit Logs           AuditLogs        
View-Only Audit Logs ViewOnlyAuditLogs



PS C:\> 

• This means to fetch the audit logs (executing – “Search-UnifiedAuditLog“) our user should be part of group which has role assigned either “Audit Logs” OR “View-Only Audit Logs”
• To grant the user required permissions, we need to add user into a role group which contains “Audit Logs” or “View-Only Audit Logs” such as “View-Only Organization Management”
• We could add user to respective role group either by using PowerShell or Exchange Online admin center

Add user to respective Exchange role group using PowerShell

Add-RoleGroupMember <Role Group Name> -Member <User>

Add-RoleGroupMember "View-Only Organization Management" -Member "prasham@knowledgejunction1.onmicrosoft.com"

Add user to respective Exchange role group from Exchange online admin center

• Navigate to Exchange admin center – either through M365 admin center – https://admin.microsoft.com/#/homepage or directly through Exchange admin center URL – https://admin.exchange.microsoft.com/

• From left blade, navigate to Roles >> Admin roles

• Find the Role Group in which we need to add user
• As shown in below fig, in middle tab “Assigned“, click on “+Add” link to add the user

• Search the user which we need to add

• Once user have respective permissions, he/she will be able to successfully execute the command

Thanks for reading!!! Please feel free to discuss in case any questions / suggestions / thoughts !!!

HAVE A GREAT TIME AHEAD !!! LIFE IS BEAUTIFUL 🙂