Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Take the survey
Reply
CobXTech
Level 3 Contributor
‎03-08-2021 11:15 PM
Level 3 Contributor
‎03-08-2021 11:15 PM

Search-UnifiedAuditLog returns nothing for half my tenants when connecting via SAM

I am able to connect to all of my tenants Exchange online instances via PowerShell using the Secure Application Model, all commands that I've tested seem to work fine, the only exception to this it seems is the "Seach-UnifiedAuditLog" command, which imports, but returns nothing.

 

I set up a script to loop through all of my tenant's exchanges(Below) and out of around 90 tenants, only 40 were able to retrieve data when running the "Seach-UnifiedAuditLog" command.

 

  • This wasn't always the case, I used to be able to retrieve logs for these clients.
  • The clients that are now unable to pull data are consistently broken.
  • I have tested this on both Powershell 5 and 7.
  • If I connect via delegated access in the EXOv2 module, it works fine. 
  • I get the same result if I remove the "-AllowClobber -CommandName" switches

 

I have no idea how to troubleshoot this issue further, any help would be appreciated.

 

The output of the script:

2021-03-09 16_01_21-● Untitled-2 - Visual Studio Code.png

 

The script to cycle through all clients:

 

 

$upn = "my@email.com"
$PartnerEXRT = "ExchangeRefreshTokenFromPartnerTenant"

$body = @{
    "scope"      = "https://outlook.office365.com/.default"
    "grant_type"    = "refresh_token"
    "refresh_token" = $PartnerEXRT
}
foreach ($customer in $customers.companyProfile) {
    
    get-pssession | remove-pssession
    $data = $null
    
    $uri = "https://login.microsoftonline.com/$($customer.tenantId)/oauth2/token/"
    
    $token = (Invoke-RestMethod $uri -Method 'post' -body $body).access_token
    $tokenValue = ConvertTo-SecureString "Bearer $token" -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential($upn, $tokenValue)
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell-liveid?DelegatedOrg=asdf&BasicAuthToOAuthConversion=true" -Credential $credential -Authentication Basic -AllowRedirection
    Import-PSSession $session -AllowClobber -CommandName Get-AcceptedDomain, Search-unifiedAuditLog 

    $days = 1
    $SessionId = Get-Date -Format 'mmss'
    $startDate = (Get-Date).AddDays(-$days)
    $endDate = (Get-Date)

    $data = Search-unifiedAuditLog -SessionId $SessionId -StartDate $startDate -EndDate $endDate  -SessionCommand ReturnLargeSet -ResultSize 5000

    if($data){
        Write-host "Success for $($customer.companyName), $($data.count) logs retrieved" -foregroundColor green
        $success += 1
    }else{
        Write-host "failure for $($customer.companyName)" -foregroundColor red
        $failure += 1
    }

}

write-host "Total successes: $success" -foregroundColor green
write-host "Total failures: $failure" -foregroundColor red

 

 

 

Labels:
0 Kudos
3 REPLIES 3
CobXTech
Level 3 Contributor
‎07-07-2021 03:34 PM
Level 3 Contributor
‎07-07-2021 03:34 PM

Well, Microsoft wouldn't solve it, but Kelvin from CyberDrain will.

This new module of his solved my issues.

 

https://www.cyberdrain.com/automating-with-powershell-faster-exchange-powershell-commands/

0 Kudos
CobXTech
Level 3 Contributor
‎03-22-2021 06:38 PM
Level 3 Contributor
‎03-22-2021 06:38 PM

I have a mix, there doesn't seem to be a correlation between the clients with P1 and clients that do and don't work.

I am able to retrieve logins for clients using the Graph API, but obviously only works for clients with premium.

0 Kudos
ioamnesia
Level 1 Contributor
‎03-22-2021 12:16 PM
Level 1 Contributor
‎03-22-2021 12:16 PM

Do your tenants have Azure AD Premium P1 or P2 licenses?

0 Kudos
Follow Us
    Share