I'm seeking advice on a PowerShell scripting task for auditing purposes in a large enterprise with an Active Directory and Exchange Online hybrid setup. My goal is to extract data on outbound emails sent by members of a specific AD group. I have some criteria to meet: only emails labeled "Official" or "Official: Sensitive" and sent to external recipients like gmail.com or outlook.com during the date range of March 2 to March 6, 2026. The data I need includes sender and recipient email addresses, external domains, date and time sent, classification labels, message sizes (if available), and confirmation that the emails are outbound.
I anticipate some challenges, particularly since the AD group has around 3000 members, and it contains nested groups, which means I need to account for indirect memberships. After gathering the members, querying email activity could become inefficient. I'm curious about the best approach for this audit, whether I should avoid looping through AD users, and how to effectively utilize cmdlets like MessageTrace and Unified Audit Log while considering performance optimization for large datasets. Any insights, especially from those with experience in large-scale auditing and reporting, would be greatly appreciated!
1 Answer
You could utilize the Purview audit log to search for Send, SendAs, or SendOnBehalf events. Setting it up in the admin center can help streamline searches via PowerShell when needed, which might save time and reduce manual filtering!
I recommend going with the Management API instead. I found it more reliable for handling queries—Search-UnifiedAuditLog might halt processing if queries are considered too heavy.