Intune Audit Log Viewer – with filtering!

In an ideal world you would be alerted whenever someone messes your the environment and then if it’s unplanned, roll-back from your regular backup.

We all know, that this isn’t an ideal world and things happen, someone clicks delete on the wrong policy, changes assignment to the wrong group, anything can happen and often you only find out later on when someone reports an issue.

Fortunately Intune has Audit Logs built-in to the Tenant Admin blade, but the filtering is a bit limited and if it’s a busy environment, you’ll soon get sick of the Load More button (and the export misses loads of data)

To bridge the gaps, I have built a new PowerShell script to give you greater control.

As usual you can grab it from GitHub

Or from the PowerShell Gallery:

Install-Script -Name get-intune-auditevents

When running this script (after authenticating), it will grab EVERY audit event and present in a GridView with just the key details at this point

GridView output of Intune Audit logs

This gives you the advanced GridView filtering with multiple criteria, you can type an exact date, time, person, policy/app/whatever name or a combination of them all.

After that, make your selection (or selections, it supports multiple) and it will prompt for a file location and give you all of the details found in Graph, including what has been changed and in some cases, the content of deleted policies. Sadly you can’t grab the output and make a new policy directly, but it gives you something to work from.

Use this with a well configured backup script and most issues should be recoverable.

Leave a Comment