functions/User/Get-HawkUserAdminAudit.ps1

Function Get-HawkUserAdminAudit {
<#
.SYNOPSIS
    Searches the EXO Audit logs for any commands that were run against the provided user object.
.DESCRIPTION
    Searches the EXO Audit logs for any commands that were run against the provided user object.
    Limited by the provided search period.
.PARAMETER UserPrincipalName
    UserPrincipalName of the user you're investigating
.OUTPUTS
 
    File: Simple_User_Changes.csv
    Path: \<user>
    Description: All cmdlets that were run against the user in a simple format.
.EXAMPLE
    Get-HawkUserAdminAudit -UserPrincipalName user@company.com
 
    Gets all changes made to user@company.com and ouputs them to the csv and xml files.
#>


    param
    (
        [Parameter(Mandatory = $true)]
        [array]$UserPrincipalName
    )

    Test-EXOConnection
    Send-AIEvent -Event "CmdRun"

    # Verify our UPN input
    [array]$UserArray = Test-UserObject -ToTest $UserPrincipalName

    Foreach ($Object in $UserArray) {
        [string]$User = $Object.UserPrincipalName

        # Get the mailbox name since that is what we store in the admin audit log
        $MailboxName = (Get-Mailbox -identity $User).name

        Out-LogFile ("Searching for changes made to: " + $MailboxName) -action

        # Get all changes to this user from the admin audit logs
        [array]$UserChanges = Search-AdminAuditLog -ObjectIDs $MailboxName -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate


        # If there are any results push them to an output file
        if ($UserChanges.Count -gt 0) {
            Out-LogFile ("Found " + $UserChanges.Count + " changes made to this user")
            $UserChanges | Get-SimpleAdminAuditLog | Out-MultipleFileType -FilePrefix "Simple_User_Changes" -csv -json -user $User
            $UserChanges | Out-MultipleFileType -FilePrefix "User_Changes" -csv -json -user $User
        }
        # Otherwise report no results found
        else {
            Out-LogFile "No User Changes found."
        }

    }
}