OfficeDev / O365-InvestigationTooling

MIT License
574 stars 361 forks source link

InactiveUsersLast90Days.ps1 - limit of 5000 audit log items #80

Open joeljeffery opened 4 years ago

joeljeffery commented 4 years ago

This script only shows a list of users that have not logged in for 90 days or more if your tenancy happens to have fewer than 5000 matching audit log entries for the following actions over the last 90 days: UserLoggedIn, PasswordLogonInitialAuthUsingPassword, UserLoginFailed.

$loggedOnUsers = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations UserLoggedIn, PasswordLogonInitialAuthUsingPassword, UserLoginFailed -ResultSize 5000

In any reasonably active tenancy, you're going to get mainly false positives.

You need to batch these requests.