Collecting logs from various Microsoft Endpoints, like Entra, 365 Services, and Azure, can be a hassle sometimes. The Microsoft-Extractor-Suite module from Joey Rentenaar and Korstiaan Stam can help you with that! In this blog post, I will show you how to use it.
- What is the Microsoft-Extractor-Suite exactly?
- How to install
- Using the module
- Connect to your environment
- Microsoft 365 Examples
- Searching the Unified Audit Log for a user is mentioned
- Retrieving the information from the Unified Audit Log for a specific user
- Searching for Inbox rules
- Azure and Entra ID Examples
- Wrapping up
What is the Microsoft-Extractor-Suite exactly?
“Microsoft Extractor Suite is a fully-featured, actively-maintained, Powershell tool designed to streamline the process of collecting all necessary data and information from various sources within Microsoft.”
Source: https://microsoft-365-extractor-suite.readthedocs.io/en/latest/index.html (They made a great documentation website! ) Also, check out the GitHub page for news, issues, etc., here: https://github.com/invictus-ir/Microsoft-Extractor-Suite
Supported sources
| Source | Description |
|---|---|
| Unified Audit Log | The unified audit log contains user, group, application, domain, and directory activities performed in the Microsoft 365 admin center or in the Azure management portal. |
| Admin Audit Log | Administrator audit logging records when a user or administrator makes a change in your organization (in the Exchange admin center or by using cmdlets). |
| Mailbox Audit Log | Mailbox audit logs are generated for each mailbox that has mailbox audit logging enabled. This tracks all user actions on any items in a mailbox. |
| Message Trace Log | The message tracking log contains messages as they pass through the organization. |
| OAuth Permissions | OAuth is a way of authorizing third-party applications to login into user accounts. |
| Inbox Rules | Inbox rules process messages in the inbox based on conditions and take actions such as moving a message to a specified folder or deleting a message. |
| Transport Rules | Transport rules take action on messages while they’re in transit. |
| Entra ID Sign-in log | Gets the Entra ID Sign-In log. |
| Entra ID Audit Log | Gets the Entra ID Audit log. |
| Azure Activity Log | Gets the Azure Activity log. |
| Azure Directory Activity Log | Gets the Azure Directory Activity log. |
Retrieve other relevant information
| Source | Description |
|---|---|
| MFA | Retrieves the MFA status for all users. |
| User Information | Retrieves the creation time and date of the last password change for all users. |
| Risky Users | Retrieves the risky users. |
| Risky Detections | Retrieves the risky detections from the Entra ID Identity Protection. |
| Conditional Access Policies | Retrieves all the conditional access policies. |
| Admin Users/Roles | Retrieves Administrator directory roles, including the identification of users associated with each specific role. |
| E-mails | Get a specific email. |
| Attachments | Get a specific attachment. |
| Devices | Retrieves information about all devices registered in Entra ID. |
| Delegated Permissions | Retrieves delegated permissions for all mailboxes in Microsoft 365. |
| Audit Log Settings | Retrieves audit status and settings for all mailboxes in Microsoft 365. |
| Group Information | Variety of functions designed to gather information about groups. |
| License Information | Variety of functions designed to gather information about licenses. |
| Role Activity | Retrieves all directory role memberships with last login information for users. |
| PIM Assignments | Generates a report of all Privileged Identity Management (PIM) role assignments in Entra ID. |
| Security Alerts | Retrieves security alerts, providing information about security incidents and threat |
How to install
The module is available in the PSGallery for you to download and install using:
Install-Module Microsoft-Extractor-Suite -Scope CurrentUser Import-Module -Name Microsoft-Extractor-Suite
After installation, these Cmdlets are available for you to use:
Using the module
Connect to your environment
Azure
You can use Connect-AzureAZ to connect to your Azure tenant and a specific subscription, for example:
Please select the account you want to login with. Retrieving subscriptions for the selection... WARNING: To override which subscription Connect-AzAccount selects by default, use `Update-AzConfig -DefaultSubscriptionForLogin 00000000-0000-0000-0000-000000000000`. Go to https://go.microsoft.com/fwlink/?linkid=2200610 for more information. [Tenant and subscription selection] No Subscription name Subscription ID Tenant name ---- ------------------------------------ ---------------------------------------- -------------------------- [1] * MPN 123-456-789-987-654321abcdef-ghiskm PowerShellisfun [2] MVP mksihg-fedcba123456-789-987-654-321 PowerShellisfun The default is marked with an *; the default tenant is 'PowerShellisfun' and subscription is 'Visual Studio Enterprise Subscription – MPN - Harm Veenstra (123-456-789-987-654321abcdef-ghiskm)'. Select a tenant and subscription (type a number or Enter to accept default): [Announcements] With the new Azure PowerShell login experience, you can select the subscription you want to use more easily. Learn more about it and its configuration at https://go.microsoft.com/fwlink/?linkid=2271909. If you encounter any problem, please open an issue at: https://aka.ms/azpsissue
Alternatively, you can use Connect-AzAccount, too, depending on your needs.
Microsoft 365
You can use Connect-M365 to connect to your 365 services, for example:
C:\Users\HarmVeenstra> Connect-M365 ---------------------------------------------------------------------------------------- This V3 EXO PowerShell module contains new REST API backed Exchange Online cmdlets which doesn't require WinRM for Client-Server communication. You can now run these cmdlets after turning off WinRM Basic Auth in your client machine thus making it more secure. Unlike the EXO* prefixed cmdlets, the cmdlets in this module support full functional parity with the RPS (V1) cmdlets. V3 cmdlets in the downloaded module are resilient to transient failures, handling retries and throttling errors inherently. REST backed EOP and SCC cmdlets are also available in the V3 module. Similar to EXO, the cmdlets can be run without WinRM basic auth enabled. For more information check https://aka.ms/exov3-module Starting with EXO V3.7, use the LoadCmdletHelp parameter alongside Connect-ExchangeOnline to access the Get-Help cmdlet, as it will not loaded by default.
Alternatively, you can use Connect-MgGraph or Connect-ExchangeOnline, too, depending on your needs.
Microsoft 365 Examples
Searching the Unified Audit Log for a user is mentioned
This log contains the logs for all Office 365 events. It takes some time to process that, and it can be slower depending on how long (180 or 365 days) the audit logs are retained. For example, to search for everything for my user starting this month (August 1st until today, August 8th), you can use:
Get-UALStatistics -UserIds harm.veenstra@powershellisfun.com -StartDate 1/8/2025 -EndDate 8/8/2025
This will take some, about 5 minutes in this example:
The logs are saved in the Output folder below your working directory by default. It contains a logfile.txt with the same information as in the screenshot above, and the actual log containing the query I did for my user account in the timeframe I specified in a CSV format:
This shows that the user is mentioned in the logs in the list and how many times. More information about Parameters, etc., can be found here: https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/M365/UnifiedAuditLog.html#show-available-log-sources-and-amount-of-logging
Retrieving the information from the Unified Audit Log for a specific user
Now that you know in which logs the user is mentioned, you can retrieve the information from those logs. For example, using the command-line below, it will retrieve all the Exchange information about my user for the last day: (Yesterday until now, August 8th)
Get-UAL -UserIds harm.veenstra@powershellisfun.com -StartDate 7/8/2025 -EndDate 8/8/2025 -Group Exchange
This will take a few minutes, and the output will be saved in the Output folder in a new subfolder, UnifiedAuditlog, with a timestamp of the query:
This outputted two CSV files, which look like this (I resized some columns for privacy reasons):
More information about Get-UAL can be found here: https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/M365/UnifiedAuditLog.html#id1
Searching for Inbox rules
Always a good check, when there are issues, to search for Inbox rules in Exchange Mailboxes. In this example, I check all (Don’t have many users in my tenants 😛 ) mailboxes for Inbox rules:
Get-MailboxRules
This results in an overview like this:
And the file from the Output\Rules folder looks like this:
It’s a simple rule to mark things as read in my DMARC mailbox 🙂
Azure and Entra ID Examples
Entra ID Sign-in Logs
To see who logged in and when to your tenant, you can use this to show everything from yesterday (August 7th) until now, for example:
Get-GraphEntraSignInLogs -startDate 07-08-2025
This will look like:
The output folder will have three subfolders depending on the types of logins found:
The folder will contain multiple JSON files, which look like this: (Redacted for privacy reasons again):
{
"id": "2mksihg-fedcba123456-789-987-654-321",
"createdDateTime": "2025-08-08T14:47:57Z",
"userDisplayName": "Harm Veenstra",
"userPrincipalName": "harm.veenstra@powershellisfun.com",
"userId": "mksihg-fedcba123456-789-987-654-321",
"appId": "mksihg-fedcba123456-789-987-654-321",
"appDisplayName": "Microsoft Office",
"ipAddress": "86.95.170.21",
"ipAddressFromResourceProvider": null,
"clientAppUsed": "",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.26120",
"correlationId": "mksihg-fedcba123456-789-987-654-321",
"conditionalAccessStatus": "notApplied",
"originalRequestId": "",
"isInteractive": false,
"tokenIssuerName": "",
"tokenIssuerType": "AzureAD",
"clientCredentialType": "none",
"processingTimeInMilliseconds": 231,
"riskDetail": "hidden",
"riskLevelAggregated": "hidden",
"riskLevelDuringSignIn": "hidden",
"riskState": "none",
"riskEventTypes_v2": [],
"resourceDisplayName": "Office 365 SharePoint Online",
"resourceId": "00000003-0000-0ff1-ce00-000000000000",
"resourceTenantId": "mksihg-fedcba123456-789-987-654-321",
"homeTenantId": "mksihg-fedcba123456-789-987-654-321",
"homeTenantName": "",
"authenticationMethodsUsed": [],
"authenticationRequirement": "multiFactorAuthentication",
"signInIdentifier": "",
"signInIdentifierType": null,
"servicePrincipalName": null,
"signInEventTypes": [
"nonInteractiveUser"
],
"servicePrincipalId": "00000000-0000-0000-0000-000000000000",
"federatedCredentialId": null,
"userType": null,
"flaggedForReview": false,
"isTenantRestricted": false,
"autonomousSystemNumber": 1136,
"crossTenantAccessType": "passthrough",
"servicePrincipalCredentialKeyId": null,
"servicePrincipalCredentialThumbprint": "",
"uniqueTokenIdentifier": "mksihg-fedcba123456-789-987-654-321",
"incomingTokenType": "none",
"authenticationProtocol": "none",
"resourceServicePrincipalId": "mksihg-fedcba123456-789-987-654-321",
"signInTokenProtectionStatus": "none",
"originalTransferMethod": "none",
"isThroughGlobalSecureAccess": false,
"globalSecureAccessIpAddress": "",
"conditionalAccessAudiences": [],
"sessionId": "mksihg-fedcba123456-789-987-654-321",
"appOwnerTenantId": "mksihg-fedcba123456-789-987-654-321",
"resourceOwnerTenantId": "mksihg-fedcba123456-789-987-654-321",
"mfaDetail": null,
"authenticationAppDeviceDetails": null,
"agent": {
"agentType": "notAgentic",
"parentAppId": ""
}
More information can be found here: https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/Azure/AzureSignInLogsGraph.html.
Retrieve Conditional Access Policies
You can use the Get-ConditionalAccessPolicies to retrieve all the Conditional Access Policies in your tenant, for example:
Which will look like this in the CSV file: (Redacted it a bit again)
More information about that here: https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/Azure/ConditionalAccessPolicies.html
Retrieving MFA status
To report on all the MFA registrations in your tenant, you can use the Get-MFA cmdlet. For example:
This results in two CSV files which look like this:
Wrapping up
And that was just a small part of all the great things you can do with the Microsoft-Extractor-Suite module. You should check it out! Have a lovely weekend!