-
Notifications
You must be signed in to change notification settings - Fork 239
/
Copy pathgraph-diraudit-get.ps1
86 lines (70 loc) · 3.05 KB
/
graph-diraudit-get.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
param(
[switch]$debug = $false, ## if -debug parameter don't prompt for input
[switch]$csv = $false, ## export to CSV
[switch]$prompt = $false ## if -prompt parameter used user prompted for input
)
<#CIAOPS
Script provided as is. Use at own risk. No guarantees or warranty provided.
Description - Report directory audit for tenant
Source - https://github.com/directorcia/Office365/blob/master/graph-diraudit-get.ps1
Documentation - https://github.com/directorcia/Office365/wiki/Report-directory-activity-in-a-tenant
Prerequisites = 1
1. Ensure the MS Graph module is installed
If you find value in this script please support the author of these scripts by:
- https://ko-fi.com/ciaops
or
- becoming a CIAOPS Patron: https://www.ciaops.com/patron
#>
## Variables
$systemmessagecolor = "cyan"
$processmessagecolor = "green"
$errormessagecolor = "red"
$warningmessagecolor = "yellow"
$outputFile = "..\graph-diraudit.csv"
if ($debug) {
# create a log file of process if option enabled
write-host "Script activity logged at .\graph-diraudit-get.txt"
start-transcript ".\graph-diraudit-get.txt" | Out-Null ## Log file created in parent directory that is overwritten on each run
}
Clear-Host
write-host -foregroundcolor $systemmessagecolor "Tenant directory audit report script - Started`n"
write-host -foregroundcolor $processmessagecolor "Connect to MS Graph"
$scopes = "AuditLog.Read.All","Directory.Read.All"
connect-mggraph -scopes $scopes -nowelcome | Out-Null
$graphcontext = Get-MgContext
write-host -foregroundcolor $processmessagecolor "Connected account =", $graphcontext.Account
if ($prompt) {
do {
$response = read-host -Prompt "`nIs this correct? [Y/N]"
} until (-not [string]::isnullorempty($response))
if ($response -ne "Y" -and $response -ne "y") {
Disconnect-MgGraph | Out-Null
write-host -foregroundcolor $warningmessagecolor "`n[001] Disconnected from current Graph environment. Re-run script to login to desired environment"
exit 1
}
else {
write-host
}
}
If ($prompt) { Read-Host -Prompt "`n[PROMPT] -- Press Enter to continue" }
# Get all records from directory audit
# https://learn.microsoft.com/en-us/graph/api/directoryaudit-list?view=graph-rest-1.0&tabs=http
$Url = "https://graph.microsoft.com/beta/auditLogs/directoryaudits"
write-host -foregroundcolor $processmessagecolor "Make Graph request for audit records"
try {
$results = (Invoke-MgGraphRequest -Uri $Url -Method GET).value
}
catch {
Write-Host -ForegroundColor $errormessagecolor "`n"$_.Exception.Message
exit (0)
}
# Output the Signins
$results | select-object Loggedbyservice,Activitydisplayname,Result,Operationtype,Category,Activitydatetime | Format-Table -AutoSize
if ($csv) {
write-host -foregroundcolor $processmessagecolor "`nOutput to CSV", $outputFile
$results | export-csv $outputFile -NoTypeInformation
}
write-host -foregroundcolor $systemmessagecolor "`nGraph devices script - Finished"
if ($debug) {
Stop-Transcript | Out-Null
}