This post is a contribution from Manish Joshi, an engineer with the SharePoint Developer Support team
The following blog post demonstrates the steps to retrieve granular user action or usage reports using the Search-UnifiedAuditLog commandlet.
1. Browse to https://protection.office.com.
In the left pane, click Search & investigation, and then click Audit log search
Note: You have to first turn on audit logging before you can run an audit log search. If the Start recording user and admin activity link is displayed, click it to turn on auditing. If you don't see this link, auditing has already been turned on for your organization. It will take couple of hours before you are able to see log results in UI or via code.
2. Browse to https://outlook.office365.com/ecp/
a. Under permissions – go to admin role
b. Create a new role, called AuditReportRole
c. Assign following Roles:
i. Audit Logs
ii. View-Only Audit Logs
d. Add Members
Add users (for e.g: email@example.com)
e. Write-Scope --> Default
In the screenshot below. I am creating a new admin role called “AuditReportRole”, assigning minimum required permissions “Audit Logs” and “View-Only Audit Logs” and granting a user “Garth Fort” permission to be able to access the Usage reports.
3. Use following powershell script, please make changes as per your environment and this will generate .csv file for each user with the actions they have undertaken for last 7 days.
4. Sample CSV output
5. Please also go thru following articles to better understand the Audit log concept and detailed properties that can be retrieved: