Microsoft 365 is a cloud-based service that brings together all of the well-known services and apps from Office 365 such as Microsoft Teams, Exchange Online, Azure AD, SharePoint Online, OneDrive for Business and also extras such as advanced device management and intelligent security and compliance. For businesses, Microsoft 365 offers a great deal more than word processing and spreadsheet editing. It has evolved into a vast suite of intelligent tools that allow organizations to be more productive and efficient. As an I.T professional, it can be a time-consuming responsibility to manage the suite of Apps and services. Some admins will often need to oversee multiple tenancies and sometimes thousands of users. For security and compliance in Office 365, logging and setting up alerts is the bread and butter of administrators, but many admins seem to forget all about the office 365 audit log when they migrate to Microsoft 365.
One of the first things that should be done after creating a new Office 365 tenant is configuring and turning on the office 365 audit log. The audit log information is critical for some businesses because of legal or regulatory compliance requirements to preserve event log data. It should also be retained for security, HR, and eDiscovery benefits. Ensuring that you have Audit Logging turned on in Office 365 can help you investigate and determine a multitude of activities that are occurring in your Office 365 Tenant such as but not limited to the below scenarios;
- Record all login attempts by users and from what Ip addres and geo location
- To see who is accessing what files in SharePoint, from what IP address and when.
- If you have a suspected compromised account you can find the IP address of the computers used to access the account
- Find and list any email forwarding for a mailbox
- Record all instances where a user has deleted documents or email items
- Determine if a user has created an inbox rule
- Record all admin actions and changes made in the admin centre
How to Set up Office 365 Audit Logging
Office 365 audit logging is not enabled by default. Follow these simple steps to enable native log auditing:
- Head to the Office 365 Security & Compliance Center.
- Go to “Search” and then “Audit log search.”
- Click “Turn on auditing.”
Alternatively, you can enable log auditing using this PowerShell command:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Audit logging for Power BI and other auxiliary applications is also not enabled by default; you’ll have to enable it in the separate admin portals to get those audit records.
Check your licensing requirements to see how long your log data can be stored. For instance, the cap is currently 90 days for an Office 365 E3 license and one year for an Office 365 E5 license.
How to Run an Audit Log Search
Before you can run an audit log search, an admin must assign permissions to your account, either “View-Only Audit Logs” or “Audit Logs”.
You may have to wait several hours from the time you enable log auditing before you can run an audit log search.
Note that a unified audit log search consolidates analytics from multiple Office 365 services into a single log report, which requires anywhere from 30 minutes to 24 hours to complete.
To run an audit log search, take the following steps:
1. Log In.
Sign in at https://protection.office.com.
Tip: To prevent your current credentials from being used automatically, open a private browsing session:
- In Internet Explorer or Edge, press CTRL+SHIFT+P.
- For most other browsers, press CTRL+SHIFT+N.
2. Start a New Search.
In the Security & Compliance Center, click “Search” on the left pane. Then select “Audit log search.”
3. Configure Your Search Criteria.
The main criteria to specify are:
- Activities — See Microsoft’s list of audited activities. There are over 100, so Microsoft has grouped them into related activities. If you don’t narrow this down, your audit report will include all activities performed during the time frame specified.
- Dates — The default time frame is the last seven days, but you can configure your search for any period within the last 90 days.
- Users — Specify which user or group of users you want to include in your report.
- Location — If you want to limit the search to a particular file, folder or site, enter a location or keyword.
Other search criteria include:
- Activities related to a website — Add an asterisk after the URL to return all entries for that site. For example, “https://contoso-my.sharepoint.com/personal/*”.
- Activities related to a given file — Add an asterisk before the file name to return all entries for that file. For example, “*Customer_Profitability_Sample.csv”.
4. Filter the Search Results.
The search criteria options are helpful for an overview, but filtering the search results will help you comb through the data more effectively. You can enter keywords, specific dates, users, items or other details.
In addition, note that the search is capped at the 5,000 most recent events. If your search returns exactly 5,000 items, you’ve likely maxed out the search results. Refine your search further to ensure that you see all relevant data within your date and time range without missing crucial information.
Alternatively, you can generate a report of raw data that meets your search criteria by pulling the data into csv. This lets you download up to 50,000 events instead of 5,000. To generate even more than 50,000 events, work in batches of smaller date ranges and combine the results manually.
5. Save your Results.
To save your results, click “Export results” and choose “Save loaded results” to generate a CSV file with your data. You can use Microsoft Excel to access the file or share the results as a report.
You will see a column called “AuditData”, which consists of a JSON object that contains multiple properties from the audit log record. To enable sorting and filtering on those properties, use the JSON transform tool in Excel’s Power Query Editor to split the “AuditData” column and give each property its own column.