The following privileges / roles are required in the Azure AD tenant and Exchange Online instance:

  • Azure AD tenant: Global Reader (“Lecteur Général”) role.

  • Exchange Online environment: View-Only Audit Logs role (“Journaux d’audit en affichage seul”) role. This role is by default granted to the Compliance Management and Organization Management role groups (for which members can be assigned). Members can be assigned to the aforementioned groups through the Exchange administration portal.

    If the required rights are not correctly granted to the user conducting the log collection, the following error will arise:

    Search-UnifiedAuditLog : The term 'Search-UnifiedAuditLog' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
  • Azure subscription (for retrieving Azure Activity logs for the given subscription): Log Analytics Reader role.

  • Azure DevOps organization (for retrieving Azure DevOps Activity logs for the given Azure DevOps organization): Auditing\View audit log permission.

Note that accessing Azure AD logs through the MS Graph API requires at least one user with an Azure AD Premium P1 or AD Premium P2 license. These license can be included in other license plans, such as Microsoft 365 E3 / E5 / F3. The other to which is associated the license does not matter.

View on GitHub