m365Corner
M365 Blogs

Track Microsoft 365 User Search Activity Using Graph PowerShell

Understanding what users search across Microsoft 365 (SharePoint, OneDrive, Teams) can unlock powerful insights—from improving content discovery to preparing your environment for Copilot.

However, Microsoft 365 does not provide an easy built-in report for search queries—and more importantly, this capability is not available in all licenses.

In this guide, you’ll learn how to track and export Microsoft 365 search activity using Microsoft Graph PowerShell, along with licensing requirements, working scripts, use cases, and troubleshooting.


What You’ll Achieve

By the end of this article, you’ll be able to:

  • Retrieve Microsoft 365 search queries using Graph API
  • Track search behavior across SharePoint & OneDrive
  • Export search results to CSV
  • Understand licensing limitations before implementation

Prerequisites

Microsoft Graph PowerShell Module

Install-Module Microsoft.Graph -Scope CurrentUser

Required Permissions

You’ll need (Admin Consent required):

  • AuditLog.Read.All
  • Reports.Read.All
  • Sites.Read.All

Microsoft 365 Licensing Requirement (CRITICAL)

Before proceeding, it’s important to understand that search query tracking depends on Microsoft 365 licensing.


Availability of SearchQueryPerformed Event

The SearchQueryPerformed audit event is only available in advanced auditing scenarios, typically under:

✅ Supported Licenses

  • Microsoft 365 E5
  • Microsoft 365 E5 Compliance / eDiscovery & Audit Add-on
  • Microsoft Purview Audit (Premium)

❌ Not Available In

  • Microsoft 365 E3 (Audit Standard)
  • Microsoft 365 Business Premium / Standard
  • Any tenant using Audit (Standard)

Why This Limitation Exists

Microsoft splits audit logging into two tiers:

Audit Type Included In Capability
Audit (Standard) E3 / Business Basic activity logs
Audit (Premium) E5 Advanced telemetry (including search queries)

The SearchQueryPerformed event is part of Audit Premium, which includes:

  • Deeper activity insights
  • Extended retention
  • Advanced user telemetry

How to Verify If Your Tenant Supports It

Run:

Get-MgAuditLogDirectoryAudit -Top 10 | Select-Object ActivityDisplayName

If you do not see:

SearchQueryPerformed

👉 Your tenant likely does not have Audit Premium enabled


Important Notes

Even with E5:

  • Search query logs may not appear immediately
  • Some workloads may not log consistently
  • Query text (QueryText) may not always be populated

Alternative for Non-E5 Tenants

If you're on E3 or Business plans, you can still:

  • Track file access activity
  • Monitor user actions
  • Identify frequently accessed content

👉 But direct search query tracking is not available


Connect to Microsoft Graph

Connect-MgGraph -Scopes "AuditLog.Read.All","Reports.Read.All","Sites.Read.All"

Script: Track Microsoft 365 Search Activity

⚠️ Important: The following script works only if your tenant supports the SearchQueryPerformed event (see licensing section above).


Retrieve Search Activity from Audit Logs


# Define date range
$StartDate = (Get-Date).AddDays(-7)
$EndDate   = Get-Date

# Fetch audit logs related to search
$SearchLogs = Get-MgAuditLogDirectoryAudit -Filter "activityDisplayName eq 'SearchQueryPerformed'" -All

# Filter by date range
$FilteredLogs = $SearchLogs | Where-Object {
    $_.ActivityDateTime -ge $StartDate -and $_.ActivityDateTime -le $EndDate
}

# Extract useful properties
$Results = $FilteredLogs | Select-Object `
    ActivityDateTime,
    ActivityDisplayName,
    @{Name="User";Expression={$_.InitiatedBy.User.UserPrincipalName}},
    @{Name="SearchQuery";Expression={$_.AdditionalDetails | Where-Object {$_.Key -eq "QueryText"} | Select-Object -ExpandProperty Value}},
    @{Name="Workload";Expression={$_.LoggedByService}}

# Export to CSV
$Results | Export-Csv "M365_SearchActivity_Report.csv" -NoTypeInformation

Write-Host "✅ Search activity report generated successfully!"

Sample Output

ActivityDateTime User SearchQuery Workload
2026-04-20 user@domain.com HR Policy SharePoint
2026-04-21 admin@domain.com Project Plan OneDrive

Real-World Use Cases

  1. Identify What Users Are Searching For
    • Discover popular queries
    • Improve SharePoint structure
    • Optimize document naming
  2. Detect Sensitive Searches

    3. Example keywords:

    • salary
    • confidential
    • termination

    👉 Useful for security monitoring and compliance

  3. Find Content Gaps

    4. Users searching for:

    • “VPN Guide”
    • “Expense Policy”

    👉 Helps identify missing documentation

  4. Prepare for Microsoft Copilot

    5. Search behavior indicates:

    • Content discoverability
    • Knowledge readiness

    👉 Critical for Copilot adoption


Enhancements

  • Automate via Task Scheduler

    • powershell.exe -File "SearchReport.ps1"

  • Build Power BI Dashboard
    • Import CSV
    • Track trends
    • Visualize top queries
  • Alert on Sensitive Keywords 
    • 
$SensitiveKeywords = "salary","confidential","resignation"

$Alerts = $Results | Where-Object {
    $SensitiveKeywords -contains $_.SearchQuery
}

if ($Alerts) {
    Write-Host "⚠️ Sensitive searches detected!"
}

Cmdlet Tips

  • Get-MgAuditLogDirectoryAudit is key for activity tracking
  • Use -All cautiously in large tenants
  • Always validate licensing before troubleshooting
  • Audit log retention depends on license
Error Cause Solution
Insufficient privileges

Missing permissions

 Connect-MgGraph -Scopes "AuditLog.Read.All"
No results returned
  • No Audit Premium license
  • No search activity
  • Incorrect filter
  • Verify licensing (see above section)
  • Expand date range
  • Run without filter to test
SearchQueryPerformed not found Tenant does not support Audit Premium Upgrade to:
  • Microsoft 365 E5
  • Or enable Purview Audit (Premium)
QueryText missing Telemetry limitation $FilteredLogs | Format-List *
Inspect full payload
Throttling Too many requests Start-Sleep -Seconds 2

Use Cases Summary

Scenario Benefit
Search analytics Improve discoverability
Security monitoring Detect sensitive searches✅
Admin insights Understand behavior
Copilot readiness Optimize knowledge base

Conclusion

Tracking Microsoft 365 search activity provides deep visibility into user behavior, but it comes with an important caveat—it requires Audit Premium (E5-level licensing).

Using Microsoft Graph PowerShell, you can:

  • Extract search activity
  • Analyze user intent
  • Improve your organization’s content strategy

👉 This guide gives you a real-world, script-driven approach to get started.

Did You Know? Managing Microsoft 365 applications is even easier with automation. Try our Graph PowerShell scripts to automate tasks like generating reports, cleaning up inactive Teams, or assigning licenses efficiently.

Ready to get the most out of Microsoft 365 tools? Explore our free Microsoft 365 administration tools to simplify your administrative tasks and boost productivity.

© Your Site Name. All Rights Reserved. Design by HTML Codex