I'm working on a PowerShell scripting task for auditing purposes in a large enterprise setup with Active Directory and Exchange Online. My goal is to extract information about outbound emails sent by users in a specific AD group. I need details on emails that meet the following criteria: they must have a classification label of "Official" or "Official: Sensitive," be sent to external recipients (like gmail.com, outlook.com, etc.), and fall within the date range of March 2 to March 6, 2026. The specific data points I need include the sender's email address, recipient's email address, external domain, date/time sent, classification label, message size (if available), and confirmation that the message is outbound. One challenge I'm facing is that the AD group has about 3,000 members, including nested groups, which makes direct querying in PowerShell potentially slow or unreliable. I want advice on the best approach and cmdlets to use, as well as performance optimization tips, especially when it comes to filtering by classification and external recipients. I'm mainly looking for design strategies and best practices before getting into the actual coding.
3 Answers
If you're specifically looking for info like the one you need, consider using a Purview content search. It can help capture many of the requirements you listed, although it may not work on-premises. Still worth checking out!
For auditing outbound emails, you might want to check the audit log in Microsoft Purview. You can search for events like Send, SendAs, or SendOnBehalf right from the admin center. This can be initiated with PowerShell commands, which might save you some time and effort.
What have you tried so far? It sounds like you’ve hit some bumps in your current approach. From what you've described, managing a large number of audit records can be tedious but ensuring you filter correctly from the start might alleviate some latency issues.
I've implemented paging and split the queries by day to avoid hitting the 50k cap. However, I still run into heavy throttling and often end up with incomplete datasets.
That's a good point! I’ve also encountered clients who’ve faced similar challenges. Using management APIs can help too, as Search-UnifiedAuditLog might halt your queries if they're too complex. I'd recommend trying out the APIs for better efficiency.