From d376e44a845f5cd115bf542d4a2df4eab5ad4a27 Mon Sep 17 00:00:00 2001 From: reshmee011 Date: Fri, 23 Feb 2024 07:02:40 +0000 Subject: [PATCH 1/3] Updating the docs to specify that start and end time needs to be UTC --- documentation/Get-PnPUnifiedAuditLog.md | 28 ++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/documentation/Get-PnPUnifiedAuditLog.md b/documentation/Get-PnPUnifiedAuditLog.md index 9c22235a8..cbc24f476 100644 --- a/documentation/Get-PnPUnifiedAuditLog.md +++ b/documentation/Get-PnPUnifiedAuditLog.md @@ -17,6 +17,28 @@ online version: https://pnp.github.io/powershell/cmdlets/Get-PnPUnifiedAuditLog. Gets unified audit logs from the Office 365 Management API. Requires the Azure Entra application permission 'ActivityFeed.Read', 'ActivityFeed.ReadDlp', 'ActivityReports.Read', 'ServiceHealth.Read' and 'ThreatIntelligence.Read'. + +## Remarks + +:::info + +Before you can access audit log data, you must enable unified audit logging for your Microsoft 365 tenant. For instructions, check out the page [Turn auditing on or off](https://learn.microsoft.com/microsoft-365/compliance/audit-log-enable-disable). + +::: + +:::info + +When running this command for the first time for a certain content type, a subscription for this content type is created. It can take up to 12 hours for the first content blobs to become available for that subscription. + +::: + +:::tip + +Retrieving audit logs is an intensive process, especially for large or active tenants. In this case it may take some time to retrieve all audit logs. + +::: + + ## SYNTAX ```powershell @@ -32,7 +54,7 @@ Allows to retrieve unified audit logs from the Office 365 Management API. ### EXAMPLE 1 ```powershell -Get-PnPUnifiedAuditLog -ContentType SharePoint -StartTime (Get-Date).AddDays(-2) -EndTime (Get-Date).AddDays(-1) +Get-PnPUnifiedAuditLog -ContentType SharePoint -StartTime (Get-Date -asUtc).AddDays(-2) -EndTime (Get-Date -asUtc).AddDays(-1) ``` Retrieves the audit logs of SharePoint happening between the current time yesterday and the current time the day before yesterday @@ -56,7 +78,7 @@ Accept wildcard characters: False ``` ### -EndTime -End time of logs to be retrieved. Start time and end time must both be specified (or both omitted) and must be less than or equal to 24 hours apart. If passed as a string this should be defined as a valid ISO 8601 string (2024-01-16T18:28:48.6964197Z). +UTC end time of logs to be retrieved. Start time and end time must both be specified (or both omitted) and must be less than or equal to 24 hours apart. If passed as a string this should be defined as a valid ISO 8601 string (2024-01-16T18:28:48.6964197Z). If you don't include a timestamp in the value, the default timestamp is 12:00 AM (midnight) on the specified date. ```yaml Type: DateTime @@ -70,7 +92,7 @@ Accept wildcard characters: False ``` ### -StartTime -Start time of logs to be retrieved. Start time and end time must both be specified (or both omitted) and must be less than or equal to 24 hours apart, with the start time prior to end time and start time no more than 7 days in the past. If passed as a string this should be defined as a valid ISO 8601 string (2024-01-16T18:28:48.6964197Z). +UTC start time of logs to be retrieved. Start time and end time must both be specified (or both omitted) and must be less than or equal to 24 hours apart, with the start time prior to end time and start time no more than 7 days in the past. If passed as a string this should be defined as a valid ISO 8601 string (2024-01-16T18:28:48.6964197Z). If you don't include a timestamp in the value, the default timestamp is 12:00 AM (midnight) on the specified date. ```yaml Type: DateTime From 51e0233131c4561f455ba9c2c7c169a1a06b83f8 Mon Sep 17 00:00:00 2001 From: reshmee011 Date: Fri, 23 Feb 2024 07:06:37 +0000 Subject: [PATCH 2/3] Update audit log docs --- documentation/Get-PnPUnifiedAuditLog.md | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/documentation/Get-PnPUnifiedAuditLog.md b/documentation/Get-PnPUnifiedAuditLog.md index cbc24f476..f801707bc 100644 --- a/documentation/Get-PnPUnifiedAuditLog.md +++ b/documentation/Get-PnPUnifiedAuditLog.md @@ -17,28 +17,14 @@ online version: https://pnp.github.io/powershell/cmdlets/Get-PnPUnifiedAuditLog. Gets unified audit logs from the Office 365 Management API. Requires the Azure Entra application permission 'ActivityFeed.Read', 'ActivityFeed.ReadDlp', 'ActivityReports.Read', 'ServiceHealth.Read' and 'ThreatIntelligence.Read'. - ## Remarks -:::info - Before you can access audit log data, you must enable unified audit logging for your Microsoft 365 tenant. For instructions, check out the page [Turn auditing on or off](https://learn.microsoft.com/microsoft-365/compliance/audit-log-enable-disable). -::: - -:::info - When running this command for the first time for a certain content type, a subscription for this content type is created. It can take up to 12 hours for the first content blobs to become available for that subscription. -::: - -:::tip - Retrieving audit logs is an intensive process, especially for large or active tenants. In this case it may take some time to retrieve all audit logs. -::: - - ## SYNTAX ```powershell From 6598d24f8f2891dc7030482f95414e778d9bae0c Mon Sep 17 00:00:00 2001 From: reshmee011 Date: Fri, 23 Feb 2024 07:15:22 +0000 Subject: [PATCH 3/3] update docs --- documentation/Get-PnPUnifiedAuditLog.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/documentation/Get-PnPUnifiedAuditLog.md b/documentation/Get-PnPUnifiedAuditLog.md index f801707bc..b62d23611 100644 --- a/documentation/Get-PnPUnifiedAuditLog.md +++ b/documentation/Get-PnPUnifiedAuditLog.md @@ -17,8 +17,6 @@ online version: https://pnp.github.io/powershell/cmdlets/Get-PnPUnifiedAuditLog. Gets unified audit logs from the Office 365 Management API. Requires the Azure Entra application permission 'ActivityFeed.Read', 'ActivityFeed.ReadDlp', 'ActivityReports.Read', 'ServiceHealth.Read' and 'ThreatIntelligence.Read'. -## Remarks - Before you can access audit log data, you must enable unified audit logging for your Microsoft 365 tenant. For instructions, check out the page [Turn auditing on or off](https://learn.microsoft.com/microsoft-365/compliance/audit-log-enable-disable). When running this command for the first time for a certain content type, a subscription for this content type is created. It can take up to 12 hours for the first content blobs to become available for that subscription.