Forum Discussion

Abelokobylka's avatar
Abelokobylka
Copper Contributor
Apr 22, 2025

SharePoint Activity w/PowerShell vs Purview

Hello everyone, 

Any insight would be very helpful; I am doing a huge companywide SharePoint clean. Most of them are Microsoft 365 groups so later I will need to check mailbox activity, OneNote, Teams, Yammer and so forth. 

For now, I am looking over the SharePoint activity. 

Snippet of PowerShell:

 

    $results = Search-UnifiedAuditLog `

        -StartDate $startDate `

        -EndDate $endDate `

        -RecordType SharePoint `

        -ObjectId $siteUrl `

 

As shown above I am checking all SharePoint activity. I am not filtering by ANY operation so in theory it should show me all "Operations". However, I am beginning to think there may be limitations to "Operations". One site for example only showed "GroupUpdated" operations for a specific site when I ran the PowerShell script but when I run the same audit on Microsoft Purview this same site shows more entries with for example "Added user or group to SharePoint group".

 

In the snippet of PowerShell above I am excluding "-ResultSize 5000". I understand that the limitation is a result of 5000. When I discovered "-ObjectId $siteUrl" I began to receive an error regarding ResultSize so I no longer include it. Even the most popular sites only show a max of 100 entries. I am assuming how it works is I am pulling 5000 results and then it is filtered by the "ObjectId".

 

I have two suspicions:

  1. Because the result size is so small it is possible that I am missing info for each site because there have been well over 5000 actions across all sites in the last 180 days. I may consider changing the code to rerun itself individually for each day or few days samples. Then again for the few days before those days. Basically, to be able to pull all entries for the last 180 days but splitting it into multiple runs where I feed different dates in. Not necessarily an issue but does not feel like it would be the best idea. There has to be a better way. Another potential idea I had was filtering by operations, like "PageViewed" to track SharePoint activity. 
  2. There may be a limitation to the operations available to retrieving activity when running a script. However, I believe this is less likely since from everything I have seen there is more info/data overall available with PowerShell over Microsoft Purview.

Please let me know your thoughts! 

 

 

admin
developer
Microsoft365
SharePoint Online
Sites
Usage
No RepliesBe the first to reply

Resources