Search-UnifiedAuditLog

New Crucial Audit Events Added to Office 365

by Tony Redmond

Helping Investigators Understand What Happened In March, Microsoft eventually released the MailItemsAccessed “crucial audit event” for accounts holding Office 365 E5 licenses (other suitable licenses include Microsoft 365 E5 or the Microsoft 365 E5 compliance). Crucial events are deemed to be of higher value to investigators or others who need to understand exactly what happened… Read More

Identifying Obsolete Guest User Accounts in an Office 365 Tenant

with 2 Comments by Tony Redmond

Many Office 365 applications now create Azure Active Directory guest accounts. What's the best way to discover if the accounts are active and in use? This PowerShell script uses the Office 365 audit log and message trace data to figure out what guest accounts are active and outputs a CSV file for your review and analysis. Like any other PowerShell script, it can be adapted to suit your purposes.